Historical OSINT: OPSEC-Aware Money Mule 
Recruiters Hire, Host Crimeware and 
Malvertisements 

(2013-01-05 16:10) 

In the following intelligence brief, I will perform an analysis 
of the cybercriminal operations involving a group of 

individuals that operated successfully though 2009/2010, 
recruiting money mules, hosting ZeuS crimeware, and 

participating in a malvertising campaign. 

Compared to a previous analysis where I profiled the 

[l]o1fensive client-side exploitation campaigns 

launched by 

money mule recruiters, in this analysis I'll emphasize on yet 
another OPSEC-aware ([2]Operational Security) gang of 
cybercriminals, this time blocking access to Google and 
anti-money laundering Web sites/research, in an attempt to 

trick the newly recruited mules into thinking that they're 
working for a legitimate company, preventing them from 

obtaining info on their new "employer". 

Key summary points: 

• The group originally launched its operations in 2009, 
primary focusing on highly targeted money mule recruit¬ 
ment campaigns 

• Only two of the malicious domains involved in the 
2009/2010's campaigns are still active, with the first serving 



adult content, and the second offering name server services 
to pharmaceutical scams, indicating they're didn't 

quite left the cybercrime ecosystem just yet 

• The cybercriminals behind the campaign impersonated 
the legitimate [3]Sprott Asset Management company, 

and blocked access to its official site on mule's PCs that 
executed the malicious SSL Certificate supplied to them 

as a requirement for joining the fake company 

• Upon execution, the bogus SSL Certificate executable 
modified the HOSTS file on the affected hosts, blocking 

access to [4]ddanchev.blogspot.com and to 
[5jbobbear.co.uk to prevent potential money mules from 
reach¬ 
ing my "[6]Keeping Money Mule Recruiters on a Short 
Leash" series, and bobbear's vast archive of collected 
intelligence on money mule recruitment campaigns 

• The group hosted multiple ZeuS crimeware variants using 
the same infrastructure as the money mule recruit¬ 
ment campaigns, and also participated in a malvertising 
campaign 

• Although their initial 2009 operations were launched from 
(AS39134), they later on migrated to a Kazakhstan- 

based bulletproof hosting provider (AS50793) that's no 
longer in operation, although there's a high probability 

that the Kazakhstan hosting service was part of a franchise, 
and is currently operating in another part of the 



world. The Web site of the bulletproof hosting provider was 
hosted in Ukraine (AS6714), an AS also known to 

have participated in numerous crimeware campaigns 

• The malicious activity (besides their operation) was found 
for (AS39134) indicating that they probably got kicked out 
of the hosting provider for their attempts to recruit money 
mules 

• The domain name of the Kazakhstan-based bulletproof 
hosting provider (AS50793) was registered using a GMail 

account in 2010 

• The Kazakhstan-based bulletproof ISP's domain name is 
currently registered to an Iranian citizen, two years 

after the malicious activities took place, with no signs of 
malicious activity currently taking place there 

a 
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This post has been reproduced from [7]Dancho 
Danchev's blog. Follow him [8]on Twitter. 
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Historical OSINT - Profiling an OPSEC-Unaware 
Vendor of GSM/USB ATM Skimmers and Pinpads 

(2013-01-05 20:42) 

On daily basis, I profile over a dozen of newly advertised 
(verified) vendors of ATM skimmers, indicating that this 

market segment is still quite successful, thanks to the 
overall demand for these 'tools-of-the-trade', allowing 
potential 

cybercriminals to enter the world of ATM skimming. 

In this post part of the "Historical OSINT" series. I'll profile 
the underground market proposition of a vendor 

of GSM/USB ATM Skimmers and Pinpads, that appeared on 
my radar back in 2008, with an emphasis on the lack 

of OPSEC (Operational Security) applied by them, and the IP 
hosting changes of their main domain that took place 

















throughout 2008, in particular, offer evidence of active 
multi-tasking on behalf of the same gang of cybercriminals. 

What's particularly interesting about this vendor is the fact 
that, instead of advertising across popular and 

well known cybercrime-friendly Web communities, they 
themselves created a community around the market 

proposition, and started pitching their offer across the 
public Web, a clear indication for a lack of OPSEC 
(Operational 

Security) awareness. 

On 2006-04-06, darkforum.net (ICQ 16-09-61/160961) 
was registered using the alsaleh@gawab.com email. 

On 2009-01-07, the registration email changed to 
blanerds@hushmail.com. These emails are not known to 
have 

been used in previous cybercrime-friendly campaigns. 

Throughout 2008, the darkforum.net domain constantly 
changed IPs. The following is a complete list of the 

IP changes: 

64.74.96.241 

69.64.145.229 - IP already profiled in a [IJpreviously 
published analysis 

63.251.92.197 
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216.8.177.23 


69.25.142.57 

208.73.212.12 

87.242.73.96 - known [2]C &C server 
64.208.225.139 

The advertised brochure of the vendor: 

Overview of the technology involved: Here is how it all 
works. 

Full operating Instructions are included with the entire 
package, this page is here for infornnative purposes. The 
Card Reader reads ATM & credit cards and sends the data 
tracks through SMS to a phone. The pin-pad catches the 
pushing 

of the pin number through the keypad and also sends the 
data through SMS. 

SMS data comes to a programmable mobile phone number, 
which you will set to a safe number of yours. It is 

advised to connect your phone to a computer, and 
download the track data to your computer as it arrives. 

After 

every 2 message track-hpin combo, an SMS is sent from 
each GSM device with a status update. From your computer, 

you can keep track of the whole operation. 


The GSM Kit comes with an M5R206 device and track 
writing software. From your computer, you retrieve the track 

data and pin numbers from SMS messages, and then write 
the tracks to swipe cards with the cioned ATM/Credit 

cards, you simpiy use the pin to cash them out at ATM 
machines. 

Receiving: 

Received Data on the computer is encrypted. For the 
decryption, there is a separate program, which is inciuded 
on 

the software DVD. Decrypted data is then ready to be 
written on cards. 

Thus we have a secure working environment. None of your 
cashiers or crew can get the unencrypted data. 
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Oniy the user of the software, who controis the operation. 
This kit is buiit on brand new technoiogy. We have put 

a iot of time and money into the deveiopment and design. 
As a resuit, this is currentiy the most efficient method of 

retrieving dumps and pins. 

for exampie the first skimmers were used with a camera, 
and on the given moment of skimmer it works with 

the transmission of data on network GSM, with the sending 
SMS or with the subtraction of data after caiiing it. in this 


case the complete reliability of the work of equipment, 
checked by time and experience of many people. For 
example 

now we use the multilayer printed-circuit boards, similar, as 
are used in the laptop computers or mob telephones, 

with the silver contacts and the working from the oxidation 
although previously they were altogether only old boards. 

Now for the size decrease is necessary to proceed with 
decent expenditures in order to decrease the sizes and in 
this 

case to increase reliability. 

Our skimmers were actually originally developed for 
personal use, not for sale. They were designed with the 

most robust, smallest and most efficient parts at each stage 
of the building process. 

Why small? Well, it is better to have a small unit, that fits 
discretely onto the ATM machine. Why GSM? Because it 

is possible to receive SMS at from a remote location. 

Nobody has ever been caught by police with a GSM 
skimmer, 

to the best of our knowledge. Each day our team is working 
on the development of newer and newer technologies. 

From time to time we apply our improvements to our range 
of products. Thus we from time to time change to new 

designs of housings; we improve the capability of batteries, 
or the switching system. For example, the new version of 



our software has some improvements over previous 
versions and is reguiariy updated. Usuaiiy ciients send on 
their 

feature requests and we are frequentiy buiiding them into 
our newest kits. 
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Our skimmers can read a change in the rate of card 
conduction. For exampie, if we insert the card siowiy, and 

then acceierate it, our magnetic strip reader wiii read and 
correct this. We read both tracks info from both sides 

of the strip. We read reiiabiy, with a 99.9 % correct rate of 
reading. Sending of SMS occurs from the internai 

components of two Sony Ericsson 850i units. The batteries, 
visibie in some of the pictures are from Motoroia 

phones. The internai circuitry of the phones is connected to 
a digitai circuit and chip which receive the informa¬ 
tion from the pinpad and magnetic reader, respectfuiiy. You 
wiii need 3 sim cards, pre-paid is recommended. Each 

reading sends 4 SMS messages, 1 with the track 
information, 1 with the pin, and 1 from each unit with a 
status update. 

On each sim card, you wiii have to save the phone number 
of your home mobiie phone's sim card under the 

name "home". The internai circuitry and interface with the 
SE850i unit wiii iook to this number to send both the track 


data and the pin numbers. 


The internal processing chip encrypts the data before 
sending sms to the computer, in the kit, the decoding 

program in included which with one dick will transfer the 
crypted dump into plain text. On opening this program, it is 
necessary to enter password. But if password is incorrect 
that program will dose with a system error message, rather 

than responding with an incorrect password message. This 
is an obvious security feature. Each unit has an individual 

serial number and password. The password is included in 
the full package, it is possible to request that the password 

be communicated online, rather than be included with the 
software and package. 

I will give couple of working examples of scenarios, if 
someone attempts to open the program and types an 
incorrect 

password, an error message is displayed and the software 
will "crash". It gives the impression that the software is 
simply not working. But if the correct password is entered, 
then it will start. If necessary, it is possible to simple say 
that the software is just something downloaded from the 
Internet, but it does not work, and you forgot to remove it. 

And no specialist will be able to prove what kind of program 
it is. 

The exterior appearance and feel of our devices is built 
based on the original appearance of the ATM machine. 



In other words, if in one instrument incorporates smooth 
lines, and sleek curves, then our device will appear very 
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similar on its exterior housing. It is virtually unnoticeable 
that there has been a modification to the ATM. The paint, 
with which we spray our housings is matched to the paint 
on the original ATMs. Our method of colouring accurately 

reproduces the originals, while maintaining all the 
characteristics of colouring, including varying temperature 

conditions, the angle of incidence of the paint, pressure, 
time of polymerization, etc. 

As such we attained a perfect match of paint, tone of paint, 
reflection, and nuances with the different angles 

of incidence of light, feeling of the surface and so forth. On 
the job, this looks and feels exactly the same as an 

un-modified ATM. All instruments are powered from Li-on 
batteries. A charger is included in the complete set. Each 

battery is sufficient for 2-3 days of work (at a rated 
temperature of 22 Celsius). We have carried out extensive 
tests to find the maximum quantity of SMS which can be 
sent from one battery. Tests showed that we could send 
1400 SMS 

from one battery without a recharge. The majority of the 
time, the instrument stands in standby mode. Very little 

power is used until the card is inserted or the pinpad is 
pressed, when track data is collected, and pins are 


collected. 


The complete set comes with everything you need to run a 
full operation. However, the batteries need to be 

fully charged and recharged. This means that It Is necessary 
to give 2-3 complete cycles of charging and discharging. 

This makes possible for battery to work longer. As a rule by 
this "warming-up" of the batteries an Increase of the length 
of time they will operate will Increase by 30-40 %. 

Again we stress that we are moving ahead, and developing 
more advanced devices. The current range for sale has 

been extensively tested and proven as a reliable kit. 

USB Flash memory skimmers: 

We have a cheaper range of non-GSM skimming kit for sale. 
This Is mostly bought by new users, as experienced, 

wealthy crews will be using the more modern GSM 
skimmers. 

Our range starts with a basic skimmer & hidden camera, pre 
Installed Inside a discrete case, with flash storage 

and timestamps. Our basic skimmers are just as discrete 
and physically sound as our expensive GSM kit. They 
contain 

a 512 mb flash card, and a ROM chip with tiny card writer to 
record the Info to the micro sd card. These kits come 

with an MSR206 and a multi card reader to retrieve the 
dumps -h pins from both devices. 
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If you already own an M5R206, it can be rennoved from the 
package and a small discount can be given. 

Pinpad info 

Basic features of our pinpads are: 

1. Ultra thin, around 3mm and it looks slimmer because of 
some design tricks 

2. Real Stainless-Steel Material Frame and the keys 

3. Exact same size as the actual ATM's pinpad 

4. Special plated Frame and Keys that does not hold any 
Fingerprints well 

5. Ultra low power consumption 

6. Various languages supported 
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Technical Information on Charging and 
Comm unica ting: 

As usual, you may charge your pinpad through the USB 
communication cable. Charging is automatic, when you plug 

the cable into the pinpad, it will start charging. You can 
communicate with the pinpad while charging. You should 


charge your pinpad for a minimum 2 hours before 
operation. Try to use a USB Port on a Desktop Computer 
instead of 

a Laptop or USB hub. if u need to use a iaptop then make 
sure you are using iaptop with its power adapter connected, 

otherwise you wiii try to charge pin pads Battery with 
iaptop's battery and this wiii resuit in poor charging. 
Remember, you have to check date and time of your pinpad 
and adjust it if needed before operation. Setting the 
date/time is very easy using the software provided. 

There are some iimits on USB Charging. USB Charging is 
good if your skimming operation iast 12-16 hours, if 

you require your pinpad to iast ionger then you have to buy 
Lithium-Poiymer(Li-Po) 3.7v Generic charger for charging 

the battery of your pinpad. We can inciude this with the fuii 
kit for an extra cost. You may contact to us if you bought a 
Li-Po charger and want to use it with your pinpad. 

You must be extremeiy carefui when piugging the cabie into 
the pinpad! There was not enough space in the 

pinpad for us to piace a generic USB socket that eiiminates 
user mistakes when piugging in the cabie. We used piain 

socket that a Hows user to piug cabie in any 
direction/position, if you plug the cabie in the wrong 
direction/position then your pinpad eiectronics may be 
damaged. There aiso a risk to your battery. So pay speciai 
attention when 

piugging the cabie into your pinpad for data transfer and/or 
charging. Check the picture beiow for concise instructions 



on how to plug the cable Into your pm pad. 

Follow these steps for easy plugging: 

1. Identify the Red Wire on the cable's socket 

2. Identify the Red Wire on pinpads Socket 

3. Red wire of pinpads socket should always be near the 
Crystal, and should join with the other red wire. 
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4. Then plug It like this: 

Information on Installing and Removing to/from ATM: 

You should use transparent fast glues for glue your PInpad. 
You have to be very careful on NOT TO GLUE the 

Membrane of your PInpad. You only need to glue the back of 
the frame of the PInpad, only places where It touches 

the ATM. Again, no membrane or keys!!! You should use 2 
holes designed for removing PInpad from the ATM. You 

may use a small screwdriver or knife or similar. 

You have to be very careful when removing the pm pad from 
the ATM. You should not damage membrane of 

the pInpad when using screwdriver or knife to remove It. 
Several practice attempts, on a flat surface are recom¬ 


mended. 


You should try with very small amount of glue for your tests 
to see and understand how it sticks. Then you 

should decide what amount of glue will be used when you 
are on the Job. Your tests are the key to your success. Test 

your skimmer on the ATM with no Glue/Less Glue etc. for 
experience. Never start to skimming before feeling you 

understand all the logic. 

Our Software Description 

To work with a skimmer, a computer is necessary of course. 
You need to save your dumps (card data tracks) there! We 

will provide you with software, which can completely control 
your skimmer. Using this software, you can download 

dumps from skimmer/input them from SMS, remove them 
from skimmer unit, etc. 

The program saves everything in crypted form. So that you 
don't have to worry about being ripped off. No 

one will be able to retrieve your data without the password. 
The password is included in the complete package, or can 

be sent separately online for security purposes. Each 
skimmer is basically a small computer, with a processor, 
flash 
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storage, the internals of a SE850i mobile(cellular/GSM) 
phone, through which it sends info, and it has an EEPROM 


chip which boots up and operates the unit. So that takes 
care of software and passwords. Software is suppiied in 

the compiete set with the equipment directiy to the buyer, 
even if transaction is done through some mediator, and 

passwords are given oniy to the buyer. We make so that the 
mediator cannot obtain both the software and the 

passwords. 

The program does not show dumps on the screen. Aiso it 
does not preserve dumps in the open form. With the 

retention they are ciphered by a serious key. At the start of 
program it wiii request your password. But if password is 
introduced incorrect that it simpiy doses down and prints a 
system error on the screen. This creates the impression 

that the program is simpiy nonworking. And if you wiii not 
input the correct password, there's no way to even 

know what kind of program it is. This was created so that 
non-criticai peopie with an attempt at the start wouid 

not attempt to seiect password. Let's just say suddeniy, the 
poiice get the iaptop, on which the program is instaiied. 

Naturaiiy, they wiii ask you about the password, if you are 
creative, you wiii give them a fake password, which they 

enter it, and the program wiii simpiy shut down and writes 
that an error occurred. This wiii give the impression that 

the program is non working. And you can boidiy teii that the 
“program never worked, and i just forgot to deiete it". 



The dumps are stored in an encrypted file, which it is not 
possible to decrypt. There will be no evidence left on your 
computer, once the police do not get a hold of the 
password. 

The software itself is easy to use. There is no extra options 
or excess instructions. It is self explanatory, but 

full instructions are included with the full kit. If you have 
any other questions we will try our best to answer them 

from our administration team or our software developers. 
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Safety: 

We are often asked questions about safety when we are 
working with skimmers. On this page, I will try to give some 

good safety advice for cashing out and operating a 
successful skimming operation. 

Observation: 

It is recommended to observe the target ATM, unobtrusively 
for 1-2 days before hand. Record at what times the ATM is 

busy, what times it is quiet, and at what time it is serviced 
and money is put into the machine, if it is a free standing 
unit. 


Equipment preparation: 


It is recommended to check all your equipment before the 
installation. Make sure that you have practised with some 

dummy ATM cards before hand and have transferred your 
own ATM card, or similar into track data, SMS, decrypt, 

and write to a "white card" with your MSR206 card writer. 
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Work for the fitter/installer: 

The installer must be good with their hands. They must 
accurately and rapidly carry out his work, and quietly leave 

the area. Some crews will have their fitter dress up in a 
uniform to make them appear to be servicing the ATM. This 

is not such a good idea. Just go to the ATM when it is quiet. 
Perhaps have an assistant stand a distance away, to 

distract passers-by or other users of the ATM. The whole 
process can take less than 30 seconds. 

Operation of the device: 

Place, and the time of the installation should be selected 
beforehand. An observation point might be necessary. 

There should be somewhere to safely park your car from 
which to observe the operation of the skimmer and pinpad. 

if you are waiting in a car, it is not recommended that you 
have a laptop -h msr -h phone receiving and writing the 


data. If the operation is busted in this manner, you lose 
everything. However, if you are at home, you will have at 

least several hours in which to write the cards and cash 
them out. Your observation person should have enough 
food, 

water, etc to last in the car for the complete duration of the 
operation if possible. One plan that some crews use now is 
observation from an apartment or hotel close to the ATM. 
With this, you can cut down on the number of your crew. 

But be careful use fake identification if you can. 

Full details of the installation are described with pictures in 
a series of PDF files included on the software and 

instructions DVD. The fitter/installer should put a card into 
the machine and reject it quickly when fitting. The receiver, 
working on the "home" computer, will receive the track, and 
confirm that it stuck on properly. 99 % of the time, it sticks 
no problem. This is also useful to find that the card is 
ejecting properly. 
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When removing equipment, your crew should be trained 
and ready. Some crews do not risk withdrawing equipment 

as the average 1-day run will net $20,000- $50,000 USD 
depending on where you are. However if you are confident 

about removing it, you should take it to run the operation 
again, if apprehended while removing the equipment, the 


remover should protest innocence. They should say that 
they saw something suspicious, and were trying to take it 

off the ATM to being to police/bank. The crew member 
should look and act like a respectable citizen. You do not 

need a crew of thugs for this operation. You need a well- 
spoken, relaxed, confident team. It can be done with just 2 

people, but 3 is recommended. Observing the guy removing 
the kit is a good idea, and walkie-talkies are useful, if 

the observer sees someone approaching the removal guy, 
he should "squak" his walkie-talkie, and the remover can 
disappear quickly. 
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Cashing out the money: 

On many ATMs, there is a monitoring camera. Cameras are 
usually motion activated. We advise that you do not stay 

at one ATM more than 5 minutes, and do not tie up an ATM 
if there are people in the queue. Do not always cash out 

at an ATM belonging to one single bank, nor should you 
ever cash out your cards on the ATM that you skimmed 
them 

on. 
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Many crews will have several people working on cashing 
out, and they work 10 cards per person per time, all 

returning the money to the controller periodically If you are 
cashing out at night at a quiet ATM, having hoods up Is a 
good idea to prevent the camera from seeing you.That's 
just about everything you need to know to operate a safe, 

extremely lucrative ATM skimming business. 
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The Kit includes a software dvd (with full instructions), 
MSR206, Skimmer + Pinpad, and encryption key to decode 

dumps which are encrypted on the devices. Note: Only 
skimmed tracks are encrypted, pins are not encrypted. 
Rental 

Schemes are available, where we keep the encryption key 
for the 1st operation of the skimmer, and provide you with 

20 unencrypted dumps + pins. This rental scheme costs 
€1400 for USB kits, and €2200 for GSM kits. 

My initial discovery of this cybercrime-friendly market 
proposition, coincides with the publication of a related 

post back in 2008, for the first time ever publicly disclosing 
important details regarding the emergence of [3]ATM 

Skimmers with built-in GSM modules. 

Nowadays, these are everyday reality. 


This post has been reproduced from [4]Dancho 
Danchev's biog. Follow him [5]on Twitter. 

1. httD://ddanchev.blo as DOt.com/2008/08/facebook- 
malware-camDai a ns-rotatin a .html 

2. http://www.bothunter.net/live/2011-10-15/index.html 

3. http://www.zdnet.com/blo a /securitv/scammers-introduce- 
atm-skimmers-with-built-in-sms-notification/2000 

4. http://ddanchev.blo as pot.com/ 

5. http://twitter.com/danchodanchev 
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Historical OSINT - Profiling an OPSEC-Unaware 
Vendor of GSM/USB ATM Skimmers and Pinpads 

(2013-01-05 20:42) 

On daily basis, I profile over a dozen of newly advertised 
(verified) vendors of ATM skimmers, indicating that this 

market segment is still quite successful, thanks to the 
overall demand for these 'tools-of-the-trade', allowing 
potential 

cybercriminals to enter the world of ATM skimming. 

In this post part of the "Historical OSINT" series. I'll profile 
the underground market proposition of a vendor 

of GSM/USB ATM Skimmers and Pinpads, that appeared on 
my radar back in 2008, with an emphasis on the lack 















of OPSEC (Operational Security) applied by them, and the IP 
hosting changes of their main domain that took place 

throughout 2008, in particular, offer evidence of active 
multi-tasking on behalf of the same gang of cybercriminals. 

What's particularly interesting about this vendor is the fact 
that, instead of advertising across popular and 

well known cybercrime-friendly Web communities, they 
themselves created a community around the market 

proposition, and started pitching their offer across the 
public Web, a clear indication for a lack of OPSEC 
(Operational 

Security) awareness. 

On 2006-04-06, darkforum.net (ICQ 16-09-61/160961) 
was registered using the alsaleh@gawab.com email. 

On 2009-01-07, the registration email changed to 
blanerds@hushmail.com. These emails are not known to 
have 

been used in previous cybercrime-friendly campaigns. 

Throughout 2008, the darkforum.net domain constantly 
changed IPs. The following is a complete list of the 

IP changes: 

64.74.96.241 

69.64.145.229 - IP already profiled in a [IJpreviously 
published analysis 


63.251.92.197 
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216.8.177.23 

69.25.142.57 

208.73.212.12 

87.242.73.96 - known [2]C &C server 
64.208.225.139 

The advertised brochure of the vendor: 

Overview of the technology involved: Here is how it all 
works. 

Full operating instructions are included with the entire 
package, this page is here for informative purposes. The 
Card Reader reads ATM & credit cards and sends the data 
tracks through SMS to a phone. The pin-pad catches the 
pushing 

of the pin number through the keypad and also sends the 
data through SMS. 

SMS data comes to a programmable mobile phone number, 
which you will set to a safe number of yours, it is 

advised to connect your phone to a computer, and 
download the track data to your computer as it arrives. 

After 

every 2 message track-hpin combo, an SMS is sent from 
each GSM device with a status update. From your computer. 


you can keep track of the whole operation. 

The GSM Kit comes with an MSR206 device and track 
writing software. From your computer, you retrieve the track 

data and pin numbers from SMS messages, and then write 
the tracks to swipe cards with the cloned ATM/Credit 

cards, you simply use the pin to cash them out at ATM 
machines. 

Receiving: 

Received Data on the computer is encrypted. For the 
decryption, there is a separate program, which is included 
on 

the software DVD. Decrypted data is then ready to be 
written on cards. 

Thus we have a secure working environment. None of your 
cashiers or crew can get the unencrypted data. 
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Only the user of the software, who controls the operation. 
This kit is built on brand new technology. We have put 

a lot of time and money into the development and design. 
As a result, this is currently the most efficient method of 

retrieving dumps and pins. 

for example the first skimmers were used with a camera, 
and on the given moment of skimmer it works with 


the transmission of data on network GSM, with the sending 
SMS or with the subtraction of data after caiiing it. in this 
case the compiete reiiabiiity of the work of equipment, 
checked by time and experience of many peopie. For 
exampie 

now we use the muitiiayer printed-circuit boards, simiiar, as 
are used in the iaptop computers or mob teiephones, 

with the siiver contacts and the working from the oxidation 
a it ho ugh previousiy they were a i together oniy oid boards. 

Now for the size decrease is necessary to proceed with 
decent expenditures in order to decrease the sizes and in 
this 

case to increase reiiabiiity. 

Our skimmers were actuaiiy originaiiy deveioped for 
personai use, not for saie. They were designed with the 

most robust, smaiiest and most efficient parts at each stage 
of the buiiding process. 

Why smaii? Weii, it is better to have a smaii unit, that fits 
discreteiy onto the ATM machine. Why GSM? Because it 

is possibie to receive SMS at from a remote iocation. 

Nobody has ever been caught by poiice with a GSM 
skimmer, 

to the best of our knowiedge. Each day our team is working 
on the deveiopment of newer and newer technoiogies. 

From time to time we appiy our improvements to our range 
of products. Thus we from time to time change to new 



designs of housings; we inn prove the capabiiity of batteries, 
or the switching system. For exam pie, the new version of 

our software has some improvements over previous 
versions and is reguiariy updated. Usuaiiy ciients send on 
their 

feature requests and we are frequentiy buiiding them into 
our newest kits. 
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Our skimmers can read a change in the rate of card 
conduction. For exampie, if we insert the card siowiy, and 

then acceierate it, our magnetic strip reader wiii read and 
correct this. We read both tracks info from both sides 

of the strip. We read reiiabiy, with a 99.9 % correct rate of 
reading. Sending of SMS occurs from the internai 

components of two Sony Ericsson 850i units. The batteries, 
visibie in some of the pictures are from Motoroia 

phones. The internai circuitry of the phones is connected to 
a digitai circuit and chip which receive the informa¬ 
tion from the pinpad and magnetic reader, respectfuiiy. You 
wiii need 3 sim cards, pre-paid is recommended. Each 

reading sends 4 SMS messages, 1 with the track 
information, 1 with the pin, and 1 from each unit with a 
status update. 

On each sim card, you wiii have to save the phone number 
of your home mobiie phone's sim card under the 


name "home". The internal circuitry and interface with the 
SE850i unit will look to this number to send both the track 
data and the pin numbers. 

The internal processing chip encrypts the data before 
sending sms to the computer, in the kit, the decoding 

program in included which with one dick will transfer the 
crypted dump into plain text. On opening this program, it is 
necessary to enter password. But if password is incorrect 
that program will close with a system error message, rather 

than responding with an incorrect password message. This 
is an obvious security feature. Each unit has an individual 

serial number and password. The password is included in 
the full package, it is possible to request that the password 

be communicated online, rather than be included with the 
software and package. 

I will give couple of working examples of scenarios. If 
someone attempts to open the program and types an 
incorrect 

password, an error message is displayed and the software 
will "crash", it gives the impression that the software is 
simply not working. But if the correct password is entered, 
then it will start. If necessary, it is possible to simple say 
that the software is just something downloaded from the 
Internet, but it does not work, and you forgot to remove it. 

And no specialist will be able to prove what kind of program 
it is. 

The exterior appearance and feel of our devices is built 
based on the original appearance of the ATM machine. 



In other words, if in one instrument incorporates smooth 
lines, and sleek curves, then our device will appear very 
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similar on its exterior housing. It is virtually unnoticeable 
that there has been a modification to the ATM. The paint, 
with which we spray our housings is matched to the paint 
on the original ATMs. Our method of colouring accurately 

reproduces the originals, while maintaining all the 
characteristics of colouring, including varying temperature 

conditions, the angle of incidence of the paint, pressure, 
time of polymerization, etc. 

As such we attained a perfect match of paint, tone of paint, 
reflection, and nuances with the different angles 

of incidence of light, feeling of the surface and so forth. On 
the job, this looks and feels exactly the same as an 

un-modified ATM. All instruments are powered from Li-on 
batteries. A charger is included in the complete set. Each 

battery is sufficient for 2-3 days of work (at a rated 
temperature of 22 Celsius). We have carried out extensive 
tests to find the maximum quantity of SMS which can be 
sent from one battery. Tests showed that we could send 
1400 SMS 

from one battery without a recharge. The majority of the 
time, the instrument stands in standby mode. Very little 

power is used until the card is inserted or the pinpad is 
pressed, when track data is collected, and pins are 


collected. 


The complete set comes with everything you need to run a 
full operation. However, the batteries need to be 

fully charged and recharged. This means that It Is necessary 
to give 2-3 complete cycles of charging and discharging. 

This makes possible for battery to work longer. As a rule by 
this "warming-up" of the batteries an Increase of the length 
of time they will operate will Increase by 30-40 %. 

Again we stress that we are moving ahead, and developing 
more advanced devices. The current range for sale has 

been extensively tested and proven as a reliable kit. 

USB Flash memory skimmers: 

We have a cheaper range of non-GSM skimming kit for sale. 
This Is mostly bought by new users, as experienced, 

wealthy crews will be using the more modern GSM 
skimmers. 

Our range starts with a basic skimmer & hidden camera, pre 
Installed Inside a discrete case, with flash storage 

and timestamps. Our basic skimmers are just as discrete 
and physically sound as our expensive GSM kit. They 
contain 

a 512 mb flash card, and a ROM chip with tiny card writer to 
record the Info to the micro sd card. These kits come 

with an MSR206 and a multi card reader to retrieve the 
dumps -h pins from both devices. 
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If you already own an M5R206, it can be rennoved from the 
package and a small discount can be given. 

Pinpad info 

Basic features of our pinpads are: 

1. Ultra thin, around 3mm and it looks slimmer because of 
some design tricks 

2. Real Stainless-Steel Material Frame and the keys 

3. Exact same size as the actual ATM's pinpad 

4. Special plated Frame and Keys that does not hold any 
Fingerprints well 

5. Ultra low power consumption 

6. Various languages supported 
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Technical Information on Charging and 
Comm unica ting: 

As usual, you may charge your pinpad through the USB 
communication cable. Charging is automatic, when you plug 

the cable into the pinpad, it will start charging. You can 
communicate with the pinpad while charging. You should 


charge your pinpad for a minimum 2 hours before 
operation. Try to use a USB Port on a Desktop Computer 
instead of 

a Laptop or USB hub. if u need to use a iaptop then make 
sure you are using iaptop with its power adapter connected, 

otherwise you wiii try to charge pin pads Battery with 
iaptop's battery and this wiii resuit in poor charging. 
Remember, you have to check date and time of your pinpad 
and adjust it if needed before operation. Setting the 
date/time is very easy using the software provided. 

There are some iimits on USB Charging. USB Charging is 
good if your skimming operation iast 12-16 hours, if 

you require your pinpad to iast ionger then you have to buy 
Lithium-Poiymer(Li-Po) 3.7v Generic charger for charging 

the battery of your pinpad. We can inciude this with the fuii 
kit for an extra cost. You may contact to us if you bought a 
Li-Po charger and want to use it with your pinpad. 

You must be extremeiy carefui when piugging the cabie into 
the pinpad! There was not enough space in the 

pinpad for us to piace a generic USB socket that eiiminates 
user mistakes when piugging in the cabie. We used piain 

socket that a Hows user to piug cabie in any 
direction/position, if you plug the cabie in the wrong 
direction/position then your pinpad eiectronics may be 
damaged. There aiso a risk to your battery. So pay speciai 
attention when 

piugging the cabie into your pinpad for data transfer and/or 
charging. Check the picture beiow for concise instructions 



on how to plug the cable Into your pm pad. 

Follow these steps for easy plugging: 

1. Identify the Red Wire on the cable's socket 

2. Identify the Red Wire on pinpads Socket 

3. Red wire of pinpads socket should always be near the 
Crystal, and should join with the other red wire. 
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4. Then plug It like this: 

Information on Installing and Removing to/from ATM: 

You should use transparent fast glues for glue your PInpad. 
You have to be very careful on NOT TO GLUE the 

Membrane of your PInpad. You only need to glue the back of 
the frame of the PInpad, only places where It touches 

the ATM. Again, no membrane or keys!!! You should use 2 
holes designed for removing PInpad from the ATM. You 

may use a small screwdriver or knife or similar. 

You have to be very careful when removing the pm pad from 
the ATM. You should not damage membrane of 

the pInpad when using screwdriver or knife to remove It. 
Several practice attempts, on a flat surface are recom¬ 


mended. 


You should try with very small amount of glue for your tests 
to see and understand how it sticks. Then you 

should decide what amount of glue will be used when you 
are on the Job. Your tests are the key to your success. Test 

your skimmer on the ATM with no Glue/Less Glue etc. for 
experience. Never start to skimming before feeling you 

understand all the logic. 

Our Software Description 

To work with a skimmer, a computer is necessary of course. 
You need to save your dumps (card data tracks) there! We 

will provide you with software, which can completely control 
your skimmer. Using this software, you can download 

dumps from skimmer/input them from SMS, remove them 
from skimmer unit, etc. 

The program saves everything in crypted form. So that you 
don't have to worry about being ripped off. No 

one will be able to retrieve your data without the password. 
The password is included in the complete package, or can 

be sent separately online for security purposes. Each 
skimmer is basically a small computer, with a processor, 
flash 

29 




storage, the internals of a SE850i mobile(cellular/GSM) 
phone, through which it sends info, and it has an EEPROM 


chip which boots up and operates the unit. So that takes 
care of software and passwords. Software is suppiied in 

the compiete set with the equipment directiy to the buyer, 
even if transaction is done through some mediator, and 

passwords are given oniy to the buyer. We make so that the 
mediator cannot obtain both the software and the 

passwords. 

The program does not show dumps on the screen. Aiso it 
does not preserve dumps in the open form. With the 

retention they are ciphered by a serious key. At the start of 
program it wiii request your password. But if password is 
introduced incorrect that it simpiy doses down and prints a 
system error on the screen. This creates the impression 

that the program is simpiy nonworking. And if you wiii not 
input the correct password, there's no way to even 

know what kind of program it is. This was created so that 
non-criticai peopie with an attempt at the start wouid 

not attempt to seiect password. Let's just say suddeniy, the 
poiice get the iaptop, on which the program is instaiied. 

Naturaiiy, they wiii ask you about the password, if you are 
creative, you wiii give them a fake password, which they 

enter it, and the program wiii simpiy shut down and writes 
that an error occurred. This wiii give the impression that 

the program is non working. And you can boidiy teii that the 
“program never worked, and i just forgot to deiete it". 



The dumps are stored in an encrypted file, which it is not 
possible to decrypt. There will be no evidence left on your 
computer, once the police do not get a hold of the 
password. 

The software itself is easy to use. There is no extra options 
or excess instructions. It is self explanatory, but 

full instructions are included with the full kit. If you have 
any other questions we will try our best to answer them 

from our administration team or our software developers. 

30 






Safety: 

We are often asked questions about safety when we are 
working with skimmers. On this page, I will try to give some 

good safety advice for cashing out and operating a 
successful skimming operation. 

Observation: 

It is recommended to observe the target ATM, unobtrusively 
for 1-2 days before hand. Record at what times the ATM is 

busy, what times it is quiet, and at what time it is serviced 
and money is put into the machine, if it is a free standing 
unit. 


Equipment preparation: 


It is recommended to check all your equipment before the 
installation. Make sure that you have practised with some 

dummy ATM cards before hand and have transferred your 
own ATM card, or similar into track data, SMS, decrypt, 

and write to a "white card" with your MSR206 card writer. 
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Work for the fitter/installer: 

The installer must be good with their hands. They must 
accurately and rapidly carry out his work, and quietly leave 

the area. Some crews will have their fitter dress up in a 
uniform to make them appear to be servicing the ATM. This 

is not such a good idea. Just go to the ATM when it is quiet. 
Perhaps have an assistant stand a distance away, to 

distract passers-by or other users of the ATM. The whole 
process can take less than 30 seconds. 

Operation of the device: 

Place, and the time of the installation should be selected 
beforehand. An observation point might be necessary. 

There should be somewhere to safely park your car from 
which to observe the operation of the skimmer and pinpad. 

if you are waiting in a car, it is not recommended that you 
have a laptop -h msr -h phone receiving and writing the 


data. If the operation is busted in this manner, you lose 
everything. However, if you are at home, you will have at 

least several hours in which to write the cards and cash 
them out. Your observation person should have enough 
food, 

water, etc to last in the car for the complete duration of the 
operation if possible. One plan that some crews use now is 
observation from an apartment or hotel close to the ATM. 
With this, you can cut down on the number of your crew. 

But be careful use fake identification if you can. 

Full details of the installation are described with pictures in 
a series of PDF files included on the software and 

instructions DVD. The fitter/installer should put a card into 
the machine and reject it quickly when fitting. The receiver, 
working on the "home" computer, will receive the track, and 
confirm that it stuck on properly. 99 % of the time, it sticks 
no problem. This is also useful to find that the card is 
ejecting properly. 
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When removing equipment, your crew should be trained 
and ready. Some crews do not risk withdrawing equipment 

as the average 1-day run will net $20,000- $50,000 USD 
depending on where you are. However if you are confident 

about removing it, you should take it to run the operation 
again, if apprehended while removing the equipment, the 


remover should protest innocence. They should say that 
they saw something suspicious, and were trying to take it 

off the ATM to being to police/bank. The crew member 
should look and act like a respectable citizen. You do not 

need a crew of thugs for this operation. You need a well- 
spoken, relaxed, confident team. It can be done with just 2 

people, but 3 is recommended. Observing the guy removing 
the kit is a good idea, and walkie-talkies are useful, if 

the observer sees someone approaching the removal guy, 
he should "squak" his walkie-talkie, and the remover can 
disappear quickly. 
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Cashing out the money: 

On many ATMs, there is a monitoring camera. Cameras are 
usually motion activated. We advise that you do not stay 

at one ATM more than 5 minutes, and do not tie up an ATM 
if there are people in the queue. Do not always cash out 

at an ATM belonging to one single bank, nor should you 
ever cash out your cards on the ATM that you skimmed 
them 

on. 
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Many crews will have several people working on cashing 
out, and they work 10 cards per person per time, all 

returning the money to the controller periodically If you are 
cashing out at night at a quiet ATM, having hoods up Is a 
good idea to prevent the camera from seeing you.That's 
just about everything you need to know to operate a safe, 

extremely lucrative ATM skimming business. 
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The Kit includes a software dvd (with full instructions), 
MSR206, Skimmer + Pinpad, and encryption key to decode 

dumps which are encrypted on the devices. Note: Only 
skimmed tracks are encrypted, pins are not encrypted. 
Rental 

Schemes are available, where we keep the encryption key 
for the 1st operation of the skimmer, and provide you with 

20 unencrypted dumps + pins. This rental scheme costs 
€1400 for USB kits, and €2200 for GSM kits. 

My initial discovery of this cybercrime-friendly market 
proposition, coincides with the publication of a related 

post back in 2008, for the first time ever publicly disclosing 
important details regarding the emergence of [3]ATM 

Skimmers with built-in GSM modules. 

Nowadays, these are everyday reality. 


Updates will be posted as soon as new developments take 
place. 

1. httD://ddanchev.blo as DOt.com/2008/08/facebook- 
malware-camDai a ns-rotatin a .html 

2. http://www.bothunter.net/live/2011-10-15/index.html 

3. http://www.zdnet.com/blo a /securitv/scammers-introduce- 
atm-skimmers-with-built-in-sms-notification/2000 
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Raw Historical OSINT - Keeping Money Mule 
Recruiters on a Short Leash - Part Twelve (2013-01- 
07 22:56) 

In the following (historical) intelligence brief, I'll provide you 
with some raw domain data of fake companies that are 

known to have attempted to recruit money mules over the 
past 2 years. 

The domains listed here were registered by the same gang 
of cybercriminals that I've been extensively profil¬ 
ing in previous "Keeping Money Mule Recruiters on a Short 
Leash" posts. 

Money mule recruitment domains: 

compassllc-usa. com 
linkllc-uk.com 
very-compllc. com 


click-n-art.com 












infotechgroup-inc. com 

amplitude-groupmain. tw 

magnet-groupinc. cc 

allston-groupsec. cc 

DEVELOP-INC.COM 

MERCYGROUPNET.NET 

MERCY-INC.COM 

50LARI5GR0UPINC. COM 

50LARI5GR0UPNET.NET 

JVC-INC.COM 

JVCGROUPNET.NET 

EV0LVING5Y5INC.NET 

ATCANETW0RK5. NET 

ATCA-INC.COM 

GALLEOGROUPNET.NET 

GALLEO-INC.COM 

EV0LVING5Y5INC.NET 

EVOLVING-INC.COM 

NETMARKET-INC. COM 


NETMARKETTECH. NET 



INFOTECH-GROUPCO. NET 
INFOTECH-GROUPINC. COM 
INFOTECHGROUP-INC. COM 
BAND5-GR0UP5VC. COM 
BANDS-INC.COM 
BAND5GR0UP-INC NET 
BAND5GR0UPNET CC 
ICT-GROUPCO.COM 
ICT-GROUPSVC.NET 
ICTGROUPINC.COM 
ICTGROUPNET.ee 
GIANT- GROUPCO. NET 
GIANT-GROUPINC. COM 
GIANT- GROUP NET. CC 
GIANTGROUPINC. COM 
IMPERIAL-GROUPINC. COM 
IMPERIAL- GROUPSVe. NET 
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IMPERIALGROUPCO. COM 


HOSTGROUP-INC. COM 



HOSTGROUPINC. COM 


H05TGR0UPNET.ee 
H05T-GR0UP5VC. NET 
CNLGROUP-INC.ee 
CNLGROUPNET.NET 
CNL-GROUPSVC. COM 
CNL-INC.COM 
bands-groupsve. com 
bands-inc.com 
bandsgroup-inc. net 
bandsgroupnet. cc 
cni-groupsve. com 
cnl-inc.com 
cnigroup-inc.ee 
cnigroupnet.net 
giant-groupco.net 
giant-groupinc. com 
giant-groupnet. cc 
giantgroupinc. com 
host-groupsve. net 



hostgroup-inc. com 
hostgroupinc. com 
hostgroupnet.ee 
ict-groupco.com 
ict-groupsvc.net 
ictgroupinc. com 
ictgroupnet.ee 
imperiai-groupinc. com 
imperiai-groupsvc.net 
imperiaigroupco. com 
infotech-groupco. net 
infotech-groupinc. com 
infotechgroup-inc. com 
itcom-groupco. net 
itcom-groupfine. cc 
itcom-groupsve. com 
itcomgroup-inc. com 
mgm-groupsvc. com 
mgmgroup-inc. net 


mgmgroupinc. com 



mgmgroupnet. cc 
usi-groupinc.net 
usigroup-inc. com 
usigroupinc. com 
usigroupnet.ee 
NOVARIS-GROUPLLC. TW 
NOVARISGROUPMAIN. TW 
NOVARIS-GROUPORG. CC 
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VITAL-GROUPCO.ee 
VITAL-GROUPCO.TW 
VITAL-GROUPING. TW 
PERSEUS-GROUPFINE. TW 
PERSEUS-GROUPINC. TW 
PER5EU5GR0UPLLC. CC 

Consider going through my previous research into one of 
the most popular 'risk-forwarding' tactic used by cy¬ 
bercriminals, namely, money mule recruitment. 

Related posts on money mule recruitment: 

[l]Keeping Money Mule Recruiters on a Short Leash - Part 
Eleven 



[2] Keeping Money Mule Recruiters on a Short Leash - Part 
Ten 

[3] Keeping Money Mule Recruiters on a Short Leash - Part 
Nine 

[4] Keeping Money Mule Recruiters on a Short Leash - Part 
Eight - Historical OSINT 

[5] Keeping Money Mule Recruiters on a Short Leash - Part 
Seven 

[6] Keeping Money Mule Recruiters on a Short Leash - Part 
Six 

[7] Keeping Money Mule Recruiters on a Short Leash - Part 
Five 

[8] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

[9] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[10] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[11] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[12] Money Mule Recruiters on Yahool's Web Hosting 

[13] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[14] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 



[15] Keeping Reshipping Mule Recruiters on a Short Leash 

[16] Keeping Money Mule Recruiters on a Short Leash 

[17] Standardizing the Money Mule Recruitment Process 

[18] lnside a Money Laundering Group's Spamming 
Operations 

[19] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[20] Money Mules Syndicate Actively Recruiting Since 2002 

This post has been reproduced from [21]Dancho 
Danchev's biog. 

1. http://ddanchev.blo as DOt.com/20ll/OS/keeoin g -mone v- 
mule-recruiters-on-short.html 

2. http://ddanchev.blo as pot.eom/2011/07/keepin a -mone v- 
mule-recruiters-on-short.html 

3. http://ddanchev.blo as pot.eom/2011/05/keepin a -mone v- 
mule-recruiters-on-short_30.html 

4. http://ddanchev.blo as pot.eom/2011/05/keepin a -mone v- 
mule-recruiters-on-short_25.html 

5. http://ddanchev.blo as pot.eom/2011/05/keepin a -mone v- 
mule-recruiters-on-short.html 

6. http://ddanchev.blo as pot.eom/2011/03/keepin a -mone v- 
mule-recruiters-on-short.html 

7. http://ddanchev.blo as pot.eom/2011/01/keepin a -mone v- 
mule-recruiters-on-short.html 






























8. httD://ddanchev.blo as DOt.com/2010/04/dns- 
infrastructure-of-monev-mule.html 


9. http://ddanchev.blo as DOt.com/2010/04/keeDin g -mone v- 
mule-recruiters-on-short.html 


10. http://ddanchev.blo as pot.eom/2010/03/monev-mule- 
recruitment-campai a n-servin a .html 

11. http://ddanchev.blo as pot.eom/2010/03/keepin a -mone v- 
mule-recruiters-on-short.html 


12. http://ddanchev.blo as pot.eom/2010/03/monev-mule- 
recruiters-on-vahoos-web.html 

13. http://ddanchev.blo as pot.eom/2010/02/dissectin a- 
ona oin a -monev-mule.html 

14. http://ddanchev.blo as pot.eom/2010/02/keepin a -mone v- 
mule-recruiters-on-short.html 


15. http://ddanchev.blo as pot.eom/2009/12/keepin a- 
reshi p pin a -mule-recruiters-on.html 

16. http://ddanchev.blo as pot.eom/2009/ll/keepin a -mone v- 
mule-recruiters-on-short.html 
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17. http://ddanchev.blo as pot.eom/2009/10/standardizin a- 
monev-mule-recruitment.html 

18. http://ddanchev.blo as pot.eom/2009/05/inside-mone v- 
launderin a-a roups-spammin a .html 

19. http://ddanchev.blo as pot.eom/2008/07/monev-mule- 
recruiters-use-asproxs-fast.html 


























































20. httD://ddanchev.blo as DOt.com/2008/10/monev-mules- 
s vndicate-activelv.html 

21. httD://ddanchev.blo as DOt.com/ 
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Raw Historical OSINT - Keeping Money Mule 
Recruiters on a Short Leash - Part Twelve (2013-01- 
07 22:56) 

In the following (historical) intelligence brief, I'll provide you 
with sonne raw domain data of fake companies that are 

known to have attempted to recruit money mules over the 
past 2 years. 

The domains listed here were registered by the same gang 
of cybercriminals that I've been extensively profil¬ 
ing in previous "Keeping Money Mule Recruiters on a Short 
Leash" posts. 

Money mule recruitment domains: 

compassllc-usa. com 
linkllc-uk.com 
very-compllc. com 
cHck-n-art.com 
infotechgroup-inc. com 
amplitude-groupmain. tw 
magnet-groupinc. cc 









allston-groupsec. cc 

DEVELOP-INC.COM 

MERCYGROUPNET.NET 

MERCY-INC.COM 

50LARI5GR0UPINC. COM 

SOLARISGROUPNET.NET 

JVC-INC.COM 

JVCGROUPNET.NET 

EVOLVINGSYSINC.NET 

ATCANETWORKS. NET 

ATCA-INC.COM 

GALLEOGROUPNET.NET 

GALLEO-INC.COM 

EVOLVINGSYSINC.NET 

EVOLVING-INC.COM 

NETMARKET-INC. COM 

NETMARKETTECH. NET 

INFOTECH-GROUPCO. NET 

INFOTECH-GROUPINC. COM 


INFOTECHGROUP-INC. COM 



BAND5-GR0UP5VC. COM 
BAND5-INC.COM 
BANDSGROUP-INC NET 
BAND5GR0UPNET. CC 
ICT-GROUPCO.COM 
ICT-GROUPSVC.NET 
ICTGROUPINC.COM 
ICTGROUPNET.ee 
GIANT- GROUPCO. NET 
GIANT-GROUPINC. COM 
GIANT- GROUP NET. CC 
GIANTGROUPINC. COM 
IMPERIAL-GROUPINC. COM 
IMPERIAL- GR0UP5VC. NET 
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IMPERIALGROUPCO. COM 
HOSTGROUP-INC. COM 
H05TGR0UPINC. COM 
H05TGR0UPNET.ee 


H05T-GR0UP5VC. NET 



CNLGROUP-INC.CC 


CNLGROUPNET.NET 
CNL-GROUPSVC. COM 
CNL-INC.COM 
bands-groupsvc. com 
bands-inc.com 
bandsgroup-inc. net 
bandsgroupnet. cc 
cni-groupsvc. com 
cnl-inc.com 
cnigroup-inc.cc 
cnigroupnet.net 
giant-groupco.net 
giant-groupinc. com 
giant-groupnet. cc 
giantgroupinc. com 
host-groupsvc. net 
hostgroup-inc. com 
hostgroupinc. com 
hostgroupnet.ee 



ict-groupco.com 
ict-groupsvc.net 
ictgroupinc. com 
ictgroupnet.ee 
imperiai-groupinc. com 
imperiai-groupsvc.net 
imperiaigroupco. com 
infotech-groupco. net 
infotech-groupinc. com 
infotechgroup-inc. com 
itcom-groupco. net 
itcom-groupfine. cc 
itcom-groupsve. com 
itcomgroup-inc. com 
mgm-groupsvc. com 
mgmgroup-inc. net 
mgmgroupinc. com 
mgmgroupnet. cc 
usi-groupinc.net 


usigroup-inc. com 



u5igroupinc.com 
usigroupnet.ee 
NOVARIS-GROUPLLC. TW 
NOVARISGROUPMAIN. TW 
N0VARI5-GR0UP0RG. CC 
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VITAL-GROUPCO.ee 
VITAL-GROUPCO.TW 
VITAL-GROUPING. TW 
PER5EU5-GR0UPFINE. TW 
PER5EU5-GR0UPINC. TW 
PER5EU5GR0UPLLC. CC 

Consider going through my previous research into one of 
the most popular 'risk-forwarding' tactic used by cy¬ 
bercriminals, namely, money mule recruitment. 

Related posts on money mule recruitment: 

[1] Keeping Money Mule Recruiters on a Short Leash - Part 
Eleven 

[2] Keeping Money Mule Recruiters on a Short Leash - Part 
Ten 



[3] Keeping Money Mule Recruiters on a Short Leash - Part 
Nine 

[4] Keeping Money Mule Recruiters on a Short Leash - Part 
Eight - Historical OSINT 

[5] Keeping Money Mule Recruiters on a Short Leash - Part 
Seven 

[6] Keeping Money Mule Recruiters on a Short Leash - Part 
Six 

[7] Keeping Money Mule Recruiters on a Short Leash - Part 
Five 

[8] The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

[9] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[10] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[11] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[12] Money Mule Recruiters on Yahool's Web Hosting 

[13] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[14] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

[15] Keeping Reshipping Mule Recruiters on a Short Leash 

[16] Keeping Money Mule Recruiters on a Short Leash 



[17] Standardizing the Money Mule Recruitment Process 

[18] lnside a Money Laundering Group's Spamming 
Operations 

[19] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[20] Money Mules Syndicate Actively Recruiting Since 2002 
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Summarizing Webroot's Threat Blog Posts for 
December (2013-01-09 19:34) 

The following is a brief summary of all of my posts at 
[IJWebroot's Threat Blog for December, 2012. You can 

subscribe to [2]Webroot's Threat Blog RSS Feed, or 

follow me on Twitter: 

01. [3]DIY malicious domain name registering service 
spotted in the wild 

02. [4]Fake 'FedEx Tracking Number' themed emails lead to 
malware 

03. [5]Bogus 'Facebook Account Cancellation Request' 
themed emails serve client-side exploits and malware 

04. [6]Malicious 'Security Update for Banking Accounts' 
emails lead to Black Hole Exploit Kit 

05. [7]A peek inside a boutique cybercrime-friendly E-shop - 
part five 

06. [8]Fake 'Flight Reservation Confirmations' themed 
emails lead to Black Hole Exploit Kit 

07. [9]Malicious 'Sendspace File Delivery Notifications' lead 
to Black Hole Exploit Kit 




08. [10]Fake Chase 'Merchant Billing Statement' themed 
emails lead to malware 

09. [ll]Cybercriminals entice potential cybercriminals into 
purchasing bogus credit cards data 

10. [12]Fake 'Change Facebook Color Theme' events lead to 
rogue Chrome extensions 

11. [13]Fake 'Citi Account Alert' themed emails lead to 
Black Hole Exploit Kit 

12. [14]Spamvertised 'Work at Home" scams impersonating 
CNBC spotted in the wild 

13. [15]Pharmaceutical scammers spamvertise YouTube 
themed emails, entice users into purchasing counterfeit 

drugs 

14. [16]Cybercriminals resume spamvertising British 
Airways themed E-ticket receipts, serve malware 

15. [17]Fake 'UPS Delivery Confirmation Failed' themed 
emails lead to Black Hole Exploit Kit 
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16. [18]Webroot's Threat Blog Most Popular Posts for 2012 
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Summarizing ZDNet's Zero Day Posts for January 
(2013-02-04 22:38) 

The following is a brief summary of all of my posts at 

[1] ZDNet's Zero Day for January, 2013. You can subscribe 
to 

[2] Zero Day's main feed , or follow me on Twitter: 

01. [3]Dutch security researchers dissect the Pobelka 
botnet 

02. [4]ESPN's ScoreCenter for iOS sends passwords in clear¬ 
text, susceptible to XSS flaw 

03. [SJReport: AutoRun malware infections continue 
topping the charts 

04. [6]Comparative review: Opera leads in browser anti¬ 
phishing protection 

05. [7]ltalian-language page at MSN redirects to Cool 
Exploit Kit, serves ransomware 

06. [SJWordPress releases version 3.5.1, fixes 3 security 
issues 

07. [9]Targeted attack against UAE activist utilizes CVE- 
2013-0422, drops malware 


This post has been reproduced from [lOJDancho 
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Summarizing Webroot's Threat Blog Posts for 
January (2013-02-04 23:14) 

The following is a brief summary of all of my posts at 
[IJWebroot's Threat Blog for January, 2013. You can 
subscribe to [2]Webroot's Threat Blog RSS Feed, or 

follow me on Twitter: 

01. [3]Spamvertised 'Your Recent eBill from Verizon 
Wireless' themed emails serve client-side exploits and 
malware 

02. [4]Fake BBB (Better Business Bureau) Notifications lead 
to Black Hole Exploit Kit 

03. [SJ'Attention! Changes in the bank reports!' themed 
emails lead to Black Hole Exploit Kit 

04. [6]Fake 'You have made an Ebay purchase' themed 
emails lead to client-side exploits and malware 

05. [7]A peek inside a boutique cybercrime-friendly E-shop 
- part six 

06. [SJBIack Hole Exploit Kit author's 'vertical market 
integration' fuels growth in malicious Web activity 

07. [9]Spamvertised AlCPA themed emails serve client-side 
exploits and malware 



08. [10]Tlease confirm your U.S Airways online registration' 
themed emails lead to Black Hole Exploit Kit 

09. [ll]Malicious DIYJava applet distribution platforms 
going mainstream 

10. [12]Fake 'ADP Speedy Notifications' lead to client-side 
exploits and malware 

11. [13]Cybercriminals release automatic CAPTCHA-solving 
bogus Youtube account generating tool 

12. [14]'Batch Payment File Declined' EFTPS themed emails 
lead to Black Hole Exploit Kit 
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13. [15]Cybercriminals resume spamvertising fake 
Vodafone 'A new picture or video message' themed emails, 
serve malware 

14. [16]Leaked DIY malware generating tool spotted in the 
wild 

15. [17]Email hacking for hire going mainstream - part 
three 

16. [18]Android malware spreads through compromised 
legitimate Web sites 

17. [19]Fake Intuit 'Direct Deposit Service Informer' themed 
emails lead to Black Hole Exploit Kit 

18. [20]Fake Linkedin 'Invitation Notifications' themed 
emails lead to client-side exploits and malware 

19. [21]Novice cybercriminals experiment with DIY 
ransomware tools 



20. [22]Bogus 'Your Paypal Transaction Confirmation' 
themed emails lead to Black Hole Exploit Kit 

21. [23]Fake 'FedEx Online Billing - Invoice Prepared to be 
Paid' themed emails lead to Black Hole Exploit Kit 

22. [24]A peek inside a DIY password stealing malware 

23. [25]Malicious'Facebook Account Cancellation Request" 
themed emails serve client-side exploits and malware 
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Historical OSINT - Hacked Databases Offered for Sale 
(2013-02-06 02:03) 

In the wake of the recently announced security breaches at 
the [l]NYTimes, [2]WSJ, and the [3]Washington Post, I 
decided to shed more light on what happens once a 
database gets compromised by Russian cybercriminals, 

compared to (supposedly) Chinese spies, with the idea to 
provide factual evidence that these breaches are just the 

tip of the iceberg. 

In this intelligence brief. I'll profile a service that was 
originally operating throughout the entire 2009, selling 

access to compromised databases of multiple high-trafficked 
Web sites, through the direct compromise of their 



















databases, hence, the name of the service - GiveMeDB. 


Primary URL: hxxp://givemedb.com - Email: 
giverems@mail.ru 

Secondary URL: hxxp://shopdb.blogspot.com 
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ICQ: 9348793; 5190451 

During 2009, the domain used to respond to 
83.133.123.228 (LAMBDANET-AS European Backbone of 
LambdaNet), 

it then changed IPs to 74.54.82.209 (THEPLANET-AS - 
ThePlanet.com Internet Services, Inc.). The following 
domains 

used to respond to the same IP (83.133.123.228), 
pornofotki.com.ua, mail.vipnkvd.ru. What are the 
chances that these IPs are known to have been involved in 
related malicious/cybercrime-friendly activities? Appreciate 
my rhetoric. 

We've got the following [4]MD5: 

6a9bl28545bd095dbbb697756f5586a9 spamming links 
to the same 

(hxxp://83.133.123.228/uksus/?t=3) in particular. 
Cross-checking the second IP (74.54.82.209) across multi¬ 
ple proprietary and public databases, reveals a diversified 
criminal enterprise that's been using it for years. 



The following MD5s are known to have phoned back to the 
same IP (74.54.82.209): 

[5] MD5: d48a7ae9934745964951a704bcc70fe9 

[6] MD5: 4626de911152ae7618c9936d8d258577 

[7] MD5: Ca4b79a33ea6e311eafa59a6c3fffee2 

[8] MD5: eb3b44cee34ec09ec6c5917c5bd7cfb4 

As well as a recent (2011) [9]Palevo C &C activity. 
Clearly, they've been multi-tasking on multiple fronts. 

The structure of propositions is the following: partial URL of 
the hacked Web site, country of the Web site. 

Quantity of records per database. First-time price. Exclusive 
price. The list of affected Web sites is as follows: 
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Job/CV Databases: 

jobsbazaar. * 
availablejobs* 
ecarers. * 
feca rears. * 
healthmeet. * 
youths. * 


Jobpilot. * 


thecareerengineer. * 
iauk.* 

jobboerse. * 
creativepooL * 
jobs'! nkent. * 
Jobsinthemoney. * 
jobup. * 

rxcareercenter * 
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Dating Databases: 

freedating. * 
singles-bar * 
muenchner-singles. * 
datedub* 
websingtes. * 
find-you. * 
fitness-singles. * 
houstonconnect. * 
datingz.* 


loveandfriends. * 


lovebyrd.* 
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mydatingplacephx. * 
cozydating. * 
singletreffen. * 
da tea re a.* 
endless-fantasy * 
Financial Databases: 
importers. * 
money. * 
pcquote. * 
investorviUage. * 
gurufocus. * 
individual. * 
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arabianbusiness. * 
ecademy* 


other Databases: 


pokersourceonline. * 
wickedcolors. * 
salespider * 
busy trade. * 
funky. * 

Purchasing these hacked databases, immediately improves 
the competitiveness of a potential cybercriminal, 

who now has everything he/she needs to launch spam, 
spear phishing, and [10]money mule recruitment 
campaigns, 

at their disposal. 

For years, novice cybercriminals or unethical competitors 
have been on purposely joining closed cybercrime- 

friendly communities, seeking help in exchange for a 
financial incentive, in obtaining access to a particular 
database, 

or for the "[lljdefacement" of a specific Web site. What 
this service proves is that, the model can actually scale to 
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disturbing proportions, offering access to millions of 
compromised database records to virtually anyone who pays 
for them. 
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7. 

https://www.virustatal.cam/file/62e36c696c8bffl5ba6alb58 

774485ca4fl8c704af9410495b4b7d24fe437901/analvsis/ 

8 . 

https://www.virustatal.cam/file/99d2cbdee78f7d66d73e754 

5e6e03d0f20f2d731f9911fdd84c4c95f6ddea9b7/analvsis/ 




































9. httDs://Dalevotracker.abuse.ch/?iDaddress=74.54.82.209 


10. httDs://www. a oo a le.com/webh D? 

hl=en&tab=ww&authuser=0#hl=en&tbo=d&authuser=0& 

sclient= Ds v-ab&a=site:ddanchev 

.blo as DOt.com+%22monev+mule%22&oa=site:ddanchev.bl 

ogsfD 

11. httD://ddanchev.blo as DOt.com/2008/04/commercial- 
web-site-defacement-tool.html 


12. httD://ddanchev.blo as DOt.com/ 

13. httD://twitter.com/danchodanchev 
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Historical OSINT - Hacked Databases Offered for Sale 
( 2013 - 02-06 02 : 03 ) 

In the wake of the recently announced security breaches at 
the [l]NYTimes, [2]WSJ, and the [3]Washington Post, I 
decided to shed more light on what happens once a 
database gets compromised by Russian cybercriminals, 

compared to (supposedly) Chinese spies, with the idea to 
provide factual evidence that these breaches are just the 

tip of the iceberg. 

In this intelligence brief. I'll profile a service that was 
originally operating throughout the entire 2009, selling 

access to compromised databases of multiple high-trafficked 
Web sites, through the direct compromise of their 





















databases, hence, the name of the service - GiveMeDB. 


Primary URL: hxxp://givemedb.com - Email: 
giverems@mail.ru 
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Secondary URL: hxxp://shopdb.blogspot.conn 

ICQ: 9348793; 5190451 

During 2009, the domain used to respond to 
83.133.123.228 (LAMBDANET-AS European Backbone of 
LambdaNet), 

it then changed IPs to 74.54.82.209 (THEPLANET-AS - 
ThePlanet.com Internet Services, Inc.). The following 
domains 

used to respond to the same IP (83.133.123.228), 
pornofotki.com.ua, mail.vipnkvd.ru. What are the 
chances that these IPs are known to have been involved in 
related malicious/cybercrime-friendly activities? Appreciate 
my rhetoric. 

We've got the following [4]MD5: 

6a9bl28545bd095dbbb697756f5586a9 spamming links 
to the same 

(hxxp://83.133.123.228/uksus/?t=3) in particular. 
Cross-checking the second IP (74.54.82.209) across multi¬ 
ple proprietary and public databases, reveals a diversified 
criminal enterprise that's been using it for years. 



The following MD5s are known to have phoned back to the 
same IP (74.54.82.209): 

[5] MD5: d48a7ae9934745964951a704bcc70fe9 

[6] MD5: 4626de911152ae7618c9936d8d258577 

[7] MD5: Ca4b79a33ea6e311eafa59a6c3fffee2 

[8] MD5: eb3b44cee34ec09ec6c5917c5bd7cfb4 

As well as a recent (2011) [9]Palevo C &C activity. 
Clearly, they've been multi-tasking on multiple fronts. 

The structure of propositions is the following: partial URL of 
the hacked Web site, country of the Web site. 

Quantity of records per database. First-time price. Exclusive 
price. The list of affected Web sites is as follows: 

61 


Job/CV Databases: 

jobsbazaar. * 
availablejobs* 
ecarers. * 
feca rears. * 
healthmeet. * 
youths. * 


Jobpilot. * 


theca reerengineer. * 
iauk.* 

jobboerse. * 
creativepooL * 
jobs'! nkent. * 
Jobsinthemoney. * 
jobup. * 

rxcareercenter * 
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Dating Databases: 

freedating. * 
singles-bar * 
muenchner-singles. * 
datedub* 
websingtes. * 
find-you. * 
fitness-singles. * 
houstonconnect. * 
datingz.* 


loveandfriends. * 


lovebyrd.* 
mydatingplacephx. * 
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cozydating. * 
singletreffen. * 
da tea re a.* 
endless-fantasy * 
Financial Databases: 
importers. * 
money. * 
pcquote. * 
investorviUage. * 
gurufocus. * 
individual. * 
arabianbusiness. * 
ecademy* 
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other Databases: 


pokersourceonline. * 
wickedcolors. * 
salespider * 
busy trade. * 
funky. * 

Purchasing these hacked databases, immediately improves 
the competitiveness of a potential cybercriminal, 

who now has everything he/she needs to launch spam, 
spear phishing, and [10]money mule recruitment 
campaigns, 

at their disposal. 

For years, novice cybercriminals or unethical competitors 
have been on purposely joining closed cybercrime- 

friendly communities, seeking help in exchange for a 
financial incentive, in obtaining access to a particular 
database, 

or for the "[lljdefacement" of a specific Web site. What 
this service proves is that, the model can actually scale to 
disturbing proportions, offering access to millions of 
compromised database records to virtually anyone who pays 

for them. 
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Updates will be posted as soon as new developments take 
place. 

1 . 

http ://www.nvtimes.com/2013/01/31/tech nolo a v/chinese- 
hackers-i nfiltrate-new-vork-times-computers.html? Pag 

ewanted=all&_r=0 

2 . 

http://professional.ws i .eom/article/SB100014241278873239 

26104578276202952260718.html 

3. 

http://www.washin a tonpost.com/business/technolo a v/chines 

e-hackers-suspected-in-attack-on-the-posts-comput 

ers/2013/02/01/d5a44fde-6cbl-lle2-bd36- 

c0fe61a205f6 sto 

4. 

https://www.virustotal.eom/file/131f2f8870071f490baf268fd 

3becc02b8a4dc755b23c3853e04d413a4987f6a/analvsis/ 

5. 

https://www.virustotal.com/file/30a5441a26461e9ffc86187a 

0c2f6574d51d27a52a6188ecbba50cc2345586c9/analvsis/ 

6 . 

https://www.virustotal.com/file/f06867926bcff4641dl308ac 

db7fddflb99f9babaca83bb72e811fl345f8904b/analvsis/ 

7. 

https://www.virustotal.com/file/62e36c696c8bffl5ba6alb58 

774485ca4fl8c704af9410495b4b7d24fe437901/analvsis/ 

































8 . 

httDs://www. virustotal.com/file/99d2cbdee78f7d66d73e7 54 

5e6e03d0f20f2d731f9911fdd84c4c95f6ddea9b7/analvsis/ 

9. httos://oalevotracker.abuse.ch/?ioaddress=74.54.82.209 

10. httos://www. a oo a le.com/webh o? 

hl=en&tab=ww&authuser=0#hl=en&tbo=d&authuser=0& 

sclient= os v-ab&a=site:ddanchev 

.blo as oot.com+%22monev+mule%22&oa=site:ddanchev.bl 

ogsfD 

11. htto://ddanchev.blo as oot.com/2008/04/commercial- 
web-site-defacement-tool.html 
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Dissecting NBC's Exploits and Malware Serving Web 
Site Compromise (2013-02-21 22:03) 

The web site of the [IJNational Broadcasting Company 
(NBC), NBC.com, is currently compromised, and is redi¬ 
recting tens of thousands of legitimate users to multiple 
exploits serving and malware dropping malicious URLs. 

The campaign appears to have been launched by the same 
gang of cybercriminals that's also been recently in¬ 
volved in impersonating [2]Facebook Inc. and [3]Verizon 
Wireless, in an attempt to trick their users/customers into 
clicking on links found in hundreds of thousands of 
spamvertised emails pretending to come from the 
companies. 





















Let's dissect the campaign, expose its structure, the 
dropped malware, and connect the dots on who's behind 

it. 

Observed iFrames in rotation: 

hxxp.y/umaiskhan. com/znzd. html 
hxxp://umaiskhan. com/ztuj.html 
hxxp .-//price worldpublishing, com/aynk. h tml 
hxxp://toplineops. com/mtnk.htmi 
hxxp://moi-npovye-sploett. com/qqqq/l.php 
hxxp://www.jaylenosgarage. com/trucks/PHP/google.php 
hxxp://nikweinstein. com/cl/google, php 
Observed redirections leading to: 
hxxp://gonullersultani. net/znzd. him 
hxxp://erabisnis.net/znzd. htm 
hxxp://electricianfortwayne. info/62.html 
hxxp://moi-npovye-sploett.com/cGeOcOwzlKPI/larktion.php 
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Sample client-side exploitation chain for the first 
campaign: 


hxxp://toplineops. com/mtnk.html-> 

hxxp://electricianfortwayne. info/62.html-> 
hxxp://electricianfortwayne. info/987, pdf 

Upon successful client-side exploitation, the campaign 
drops [4]MD5: 4e48ddc2a2481f9ff27113e6395160el - 

detected by 7 out of 46 antivirus scanners as Trojan- 
Spy. Win 32.Zbot.jfgj. 

Once executed the sample creates the "Xi3FVnelx" 
Mutex and phones back to: 

hxxp.V/eastsidetennisassociation. com/i.htm 7 
Jzd63FlJyFUfMyyfl08U9 - 74.220.215.229 

hxxp://en virsoft. com/n.htm ? 
xWasESNrgoz0130NRl PNCGTGhPA W16Qj67Bn] 


174.120.29.2 


Email: 

louis.bouchard@envirsoft.com 

hxxp://beautiesofcanada.com/s. him ? 
2diYtfCwTLfFBzTL8TrY7btwJDVszOi 


66.96.145.104 



Email: 


ed- 

dom(g>yahoo. com 
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hxxp://magasin-shop. com/v. htm ? 

ZPIkcqLyyHFRxHmh VxQNSHdfszymBrXxuy - 66.96.160.143 

hxxp://couche-transport. comiu. com/rhtm ? 

Mb ekKFBm q5H8 Yxe VXYM9yO i/i//C-31.170.161.96 

Second 

redirection 

redirection 

chain 

for 

a 

sampled 

iFrame: 

hxxp://moi-npovye- 

sploett.com/qqqq/l.php -> hxxp://moi-npovye- 
sploett.com/cGeQcOwzlKPI/larktion.php -> hxxp://moi- 
npovye-sploett. com/cGeQcOwzl KPI/aflybing.php ? 
esusvity=78528 0 where it attempts to exploit [5]CVE- 
2010 - 0188 . 


Malicious domains reconnaissance: 


umaiskhan.com - 173.254.28.49 - Email: 
chfaisal009@gmail.com - appears to be a compromised site 
belonging to 

someone named "Azhar Mahmood", unless of course you 
want to believe that Pakistan's cyber warfare unit is behind 
the campaign, since this is the second time that I come 
across to this IP. Keep reading! 

priceworldpublishing.com - 174.122.45.74 - Email: 
i nfo@sportsworkout.com 

electricianfortwayne.info - 173.201.92.1 - Email: 
mdkline65@yahoo.com 

gonullersultani.net - 72.167.2.128 - Email: 
gonullersultani@gmail.com 

erabisnis.net - 74.220.207.161 

moi-npovye-sploett.com - 130.185.157.102 - Email: 
josephhaddad829@yahoo.com 

jaylenosgarage.com - 80.239.148.217 

nikweinstein.com - 205.178.145.95 - Email: 
nikweinstein@hotmail.com 

mdkline65@yahoo.com is also known to have 
registered the following domains: 

dedirt, com 

dogsrit.com 

spirituaispice. us 



madamerufus. com 


herbalstatelegal. com 
my a uditionsite. com 
injury la wyercleveland. info 
injury! a wyerspringfieldmo. info 
injuryla wyercolumbus. info 
injuryla wyerindianapolis. info 
69 

Who's behind this campaign and can we connect this 
malicious activities to previously analyzed malicious 
campaigns? 

But, of course. 

umaiskhan.com responds to 173.254.28.49, and on 2013- 
01-28 18:56:19 we know that another domain used 

in a Facebook Inc. themed campaign was also responding to 
the same IP, namely hxxp://shutterstars.com/wp- 

content/plugins/akismet/resume _facebook.html. The 

compromised legitimate host back then used to serve 

client-side exploits through 

hxxp://gotina.net/detects/sign on to resume.php - 

222.238.109.66 - Email: 


lockwr(g)rocl<etmail. com. 



Deja vu! We've already seen and profiled this nnalicious 
domain in the following assessment "[6]Fake 'You've 

blocked/disabled your Facebook account' themed 
emails serve client-side exploits and malware", 

indicating that both of these campaigns have been 
launched by the same cybercriminal/gang of cybercriminals. 
What's also worth 

emphasizing on is that the same email ( 
lockwr@rocketmail.com) used to register gonita.net was 
also profiled in the following assessment "[7]Fake 'Verizon 
Wireless Statement" themed emails lead to Black 
Hole Exploit Kit", where it was used to register the Name 
Servers used in the campaign. 

Someone's multi-tasking. That's for sure. 

This post has been reproduced from [8]Dancho 
Danchev's biog. Follow him [9]on Twitter. 

1. httD://en.wikiDedia.or a /wiki/NBC 

2. httD://blo a .webroot.com/ta a /facebook/ 

3. http://blo a .webroot.com/ta a /verizon/ 

4. 

https://www.virustotal.com/en/file/6b276bee21bf5946461e 

3c62f447b3be7179e9cce4742a61b26417609ed001ee/anal 

ys 

5. http://cve.mitre.or g/ca i-bin/cvename.e g i?name=CVE- 
2010-0188 

















6. httD://blo a .webroot.com/2013/02/14/fake-vouve- 

blockeddisabled-vour-facebook-account-themed-emails- 

serve-c 


lient-side-exDloits-and-malware/ 

7. httD://blo a .webroot.com/2013/02/21/fake-verizon- 
wireless-statement-themed-emails-lead-to-black-hole-exDlo 

it-kit/ 

8. httD://ddanchev.blo as DOt.com/ 

9. httD://twitter.com/danchodanchev 
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Dissecting NBC's Exploits and Malware Serving Web 
Site Compromise (2013-02-21 22:03) 

The web site of the [IjNational Broadcasting Company 
(NBC), NBC.com, is currently compromised, and is redi¬ 
recting tens of thousands of legitimate users to multiple 
exploits serving and malware dropping malicious URLs. 

The campaign appears to have been launched by the same 
gang of cybercriminals that's also been recently in¬ 
volved in impersonating [2]Facebook Inc. and [3]Verizon 
Wireless, in an attempt to trick their users/customers into 
clicking on links found in hundreds of thousands of 
spamvertised emails pretending to come from the 
companies. 

















Let's dissect the campaign, expose its structure, the 
dropped malware, and connect the dots on who's behind 

it. 

Observed iFrames in rotation: 

hxxp.y/umaiskhan. com/znzd. html 
hxxp://umaiskhan. com/ztuj.html 
hxxp .-//price worldpublishing, com/aynk. h tml 
hxxp://toplineops. com/mtnk.htmi 
hxxp://moi-npovye-sploett. com/qqqq/l.php 
hxxp://www.jaylenosgarage. com/trucks/PHP/google.php 
hxxp://nikweinstein. com/cl/google, php 
Observed redirections leading to: 
hxxp://gonullersultani. net/znzd. him 
hxxp://erabisnis.net/znzd. htm 
hxxp://electricianfortwayne. info/62.html 
hxxp://moi-npovye-sploett.com/cGeOcOwzlKPI/larktion.php 
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Sample client-side exploitation chain for the first 
campaign: 


hxxp://toplineops. com/mtnk.html-> 

hxxp://electricianfortwayne. info/62.html-> 
hxxp://electricianfortwayne. info/987, pdf 

Upon successful client-side exploitation, the campaign 
drops [4]MD5: 4e48ddc2a2481f9ff27113e6395160el - 

detected by 7 out of 46 antivirus scanners as Trojan- 
Spy. Win 32.Zbot.jfgj. 

Once executed the sample creates the "Xi3FVnelx" 
Mutex and phones back to: 

hxxp.V/eastsidetennisassociation. com/i.htm 7 
Jzd63FlJyFUfMyyfl08U9 - 74.220.215.229 

hxxp://en virsoft. com/n.htm ? 
xWasESNrgoz0130NRl PNCGTGhPA W16Qj67Bn] 


174.120.29.2 


Email: 

louis.bouchard@envirsoft.com 

hxxp://beautiesofcanada.com/s. him ? 
2diYtfCwTLfFBzTL8TrY7btwJDVszOi 


66.96.145.104 



Email: 


ed- 

dom(g>yahoo. com 
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hxxp://magasin-shop. com/v. htm ? 

ZPIkcqLyyHFRxHmh VxQNSHdfszymBrXxuy - 66.96.160.143 

hxxp://couche-transport. comiu. com/rhtm ? 

Mb ekKFBm q5H8 Yxe VXYM9yO i/i//C-31.170.161.96 

Second 

redirection 

redirection 

chain 

for 

a 

sampled 

iFrame: 

hxxp://moi-npovye- 

sploett.com/qqqq/l.php -> hxxp://moi-npovye- 
sploett.com/cGeQcOwzlKPI/larktion.php -> hxxp://moi- 
npovye-sploett. com/cGeQcOwzl KPI/aflybing.php ? 
esusvity=78528 0 where it attempts to exploit [5]CVE- 
2010 - 0188 . 


Malicious domains reconnaissance: 


umaiskhan.com - 173.254.28.49 - Email: 
chfaisal009@gmail.com - appears to be a compromised site 
belonging to 

someone named "Azhar Mahmood", unless of course you 
want to believe that Pakistan's cyber warfare unit is behind 
the campaign, since this is the second time that I come 
across to this IP. Keep reading! 

priceworldpublishing.com - 174.122.45.74 - Email: 
i nfo@sportsworkout.com 

electricianfortwayne.info - 173.201.92.1 - Email: 
mdkline65@yahoo.com 

gonullersultani.net - 72.167.2.128 - Email: 
gonullersultani@gmail.com 

erabisnis.net - 74.220.207.161 

moi-npovye-sploett.com - 130.185.157.102 - Email: 
josephhaddad829@yahoo.com 

jaylenosgarage.com - 80.239.148.217 

nikweinstein.com - 205.178.145.95 - Email: 
nikweinstein@hotmail.com 

mdkline65@yahoo.com is also known to have 
registered the following domains: 

dedirt, com 

dogsrit.com 

spirituaispice. us 



madamerufus. com 


herbalstatelegal. com 
my a uditionsite. com 
injury la wyercleveland. info 
injury! a wyerspringfieldmo. info 
injuryla wyercolumbus. info 
injuryla wyerindianapolis. info 
73 

Who's behind this campaign and can we connect this 
malicious activities to previously analyzed malicious 
campaigns? 

But, of course. 

umaiskhan.com responds to 173.254.28.49, and on 2013- 
01-28 18:56:19 we know that another domain used 

in a Facebook Inc. themed campaign was also responding to 
the same IP, namely hxxp://shutterstars.com/wp- 

content/plugins/akismet/resume _facebook.html. The 

compromised legitimate host back then used to serve 

client-side exploits through 

hxxp://gotina.net/detects/sign on to resume.php - 

222.238.109.66 - Email: 


lockwr(g)rocl<etmail. com. 



Deja vu! We've already seen and profiled this nnalicious 
domain in the following assessment "[6]Fake 'You've 

blocked/disabled your Facebook account' themed 
emails serve client-side exploits and malware", 

indicating that both of these campaigns have been 
launched by the same cybercriminal/gang of cybercriminals. 
What's also worth 

emphasizing on is that the same email ( 
lockwr@rocketmail.com) used to register gonita.net was 
also profiled in the following assessment "[7]Fake 'Verizon 
Wireless Statement" themed emails lead to Black 
Hole Exploit Kit", where it was used to register the Name 
Servers used in the campaign. 

Someone's multi-tasking. That's for sure. 

Updates will be posted as soon as new developments take 
place. 

1. httD://en.wikiDedia.or a /wiki/NBC 

2. httD://blo a .webroot.com/ta a /facebook/ 

3. http://blo a .webroot.com/ta a /verizon/ 

4. 

https://www.virustotal.com/en/file/6b276bee21bf5946461e 

3c62f447b3be7179e9cce4742a61b26417609ed001ee/anal 

ys 

5. http://cve.mitre.or g/ca i-bin/cvename.e g i?name=CVE- 
2010-0188 

















6. httD://blo a .webroot.com/2013/02/14/fake-vouve- 

blockeddisabled-vour-facebook-account-themed-emails- 

serve-c 


lient-side-exDloits-and-malware/ 

7. httD://blo a .webroot.com/2013/02/21/fake-verizon- 
wireless-statement-themed-emails-lead-to-black-hole-exDlo 

it-kit/ 
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Summarizing Webroot's Threat Blog Posts for 
February (2013-03-04 15:31) 

The following is a brief summary of all of my posts at 
[IJWebroot's Threat Blog for February, 2013. You can 
subscribe to [2]Webroot's Threat Blog RSS Feed, or 

follow me on Twitter: 

01. [3]Fake Booking.com 'Credit Card was not Accepted' 
themed emails lead to malware 

02. [4]Fake FedEx 'Tracking ID/Tracking Number/Tracking 
Detail' themed emails lead to malware 

03. [5]'Your Kindle e-book Amazon receipt' themed emails 
lead to Black Hole Exploit Kit 














04. [6]New DIY HTTP-based botnet tool spotted in the wild 

05. [7]Mobile spammers release DIY phone number 
harvesting tool 

06. [8]New underground service offers access to thousands 
of malware-infected hosts 

07. [9]Targeted 'phone ring flooding' attacks as a service 
going mainstream 

08. [10]Fake 'You've blocked/disabled your Facebook 
account' themed emails serve client-side exploits and 
malware 

09. [ll]Spamvertised IRS 'Income Tax Refund Turned Down' 
themed emails lead to Black Hole Exploit Kit 

10. [12]Malware propagates through localized Facebook 
Wall posts 

11. [13]Malicious 'RE: Your Wire Transfer' themed emails 
serve client-side exploits and malware 
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12. [14]New underground E-shop offers access to hundreds 
of hacked PayPal accounts 

13. [15]Fake 'Verizon Wireless Statement" themed emails 
lead to Black Hole Exploit Kit 

14. [16]DIY malware cryptor as a Web service spotted in the 
wild 

15. [17]Malicious 'Data Processing Service' ACH File ID 
themed emails serve client-side exploits and malware 



16 . [18]How mobile spammers verify the validity of 
harvested phone numbers 

17 . [19]How much does it cost to buy 10,000 U.S.-based 
malware-infected hosts? 

This post has been reproduced from [20]Dancho 
Danchev's biog. Follow him [21]on Twitter 

1. http://blo a .webroot.com/ 

2. http://feeds2.feedburner.com/WebrootThreatBlo a 

3. http://blo a .webroot.eom/2013/02/01/fake-bookin a -com- 
credit-card-was-not-accepted-themed-emails-lead-to-ma 

I ware/ 

4. http://blo a .webroot.eom/2013/02/04/fake-fedex-trackin a- 
idtrackin a -numbertrackin g -detail-themed-emails-lea 

d-to-malware/ 

5. http://blo a .webroot.eom/2013/02/05/vour-kindle-e-book- 
amazon-receipt-themed-emails-lead-to-black-hole-ex p 

loit-kit/ 

6. http://blo a .webroot.eom/2013/02/06/new-div-http-based- 
botnet-tool-spotted-in-the-wild/ 

7. http://blo a .webroot.eom/2013/02/07/mobile-spammers- 
release-di v- phone-number-harvestin a -tool/ 

8. http://blo a .webroot.eom/2013/02/12/new-under a round- 
service-offers-access-to-thousands-of-mal ware-infected 


-hosts/ 








































9. httD://blo a .webroot.com/2013/02/13/tar a eted-Dhone- 
rin a -floodin a -attacks-as-a-service- a oin a -mainstream/ 

10. httD://blo a .webroot.com/2013/02/14/fake-vouve- 
blockeddisabled-vour-facebook-account-themed-emails- 
serve-c 


lient-side-exDloits-and-malware/ 

11 . 

httD://blo a .webroot.com/2013/02/15/sDamvertised-irs- 

income-tax-refund-turned-down-themed-emails-lead-to 


-black-hole-exDloit-kit/ 

12. httD://blo a .webroot.com/2013/02/18/malware- 
propag ates-th rou g h-local ized-facebook-wall-Dosts/ 

13. http://blo g .webroot.eom/2013/02/19/malicious-re-vour- 
wire-transfer-themed-emails-serve-client-side-exploi 


ts-and-malware/ 
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16. http://blo a .webroot.eom/2013/02/22/div-malware- 
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17. http://blo a .webroot.eom/2013/02/25/malicious-data- 
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nt-side-exploits-and-malware/ 
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cost-to-buv-lOOOO-u-s-based-mal ware-infected-hosts/ 

20. http://ddanchev.blo as pot.com/ 
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Dissecting NBC's Late Night with Jimmy Fallon Web 
Site Compromise (2013-03-07 00:52) 


[l]Oops, they did it again! 





































The official Web site ( 

hxxp://www.iatenightwithjimmyfaiion.com ) of 

[2] NBC's Late Night With Jimmy Fallon is currently 

[3] compromised/hacked and is automatically serving 
multiple Java exploits to its visitors through a tiny iFrame 
element embedded on the front page. According to 

[4] Google's Safe Browsing Diagnostic page, the same 

malicious iFrame domain that affected the Web site, is also 
known to have affected 15 more domains. 

Let's dissect the campaign, expose the complete domains 
domains portfolio used in the campaign, reproduce 

the malicious payload, and establish a direct connection 
between this campaign, and a series of phishing campaigns 

that appear to have been launched by the same 
cybercriminal/gang of cybercriminals. 

Sample 

client-side 

exploitation 

chain: 

hxxp://20-monkeys-b. com/exp/agenceptphp 7 
vialjack=339214 


144.135.8.182; 192.154.103.66 -> hxxp://20-monkeys- 
b. com/exp/tionjettphp 


Although the currently embedded iFrame domain is offline, 
we know that on 2013-03-06 17:02:35 it used to 



respond to 192.154.103.66. We've got several malicious 
domains currently parked at the same IP and respon- 


ing, allowing us to obtain the malicious payload used in the 
campaign affecting NBC's Web site. Upon further 

examination, the obtained malicious PDF used in the 
campaign, also attempts to connect to the initial iFrame do¬ 
main (20-monkeys-b.com), proving that the domains are 
operated by the same cybercriminal/gang of cybercriminals. 

Sample exploitation chain for a currently active 
malicious domain responding to 192.154.103.66: 

hxxp://poople- 
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huelytics. com/exp/agencept.php?vialjack=694842 -> 
hxxp://poople-huelytics. com/exp/addajapa/jurylamp.jar -> 
hxxp://poople-huelytics. com/exp/addajapa/ptlyable.jar -> 
hxxp://poople-h uelytics. com/exp/jectrger php 

Sample client-side exploits served: [5] CVE-2013-0431) 
[6] CVE-2012-1723; [7] CVE-2010-0188 

Sample detection rates for the reproduced malicious 
payload: 

test.pdf - [8]MD5: 

013ed8ef6d92cfe337d9d82767f778da - detected by 10 
out of 46 antivirus scanners as 

PDF:Exploit.PDF-JS.VU 

jurylamp.jar - [9]MD5: 

dcba86395938737b058299b8e22b6d65 - detected by 7 



out of 46 antivirus scanners as 


Exploit:Java/CVE-2013-0431 
ptiyable.jar - [10]MD5: 

2446aa6594fc7935cal3bl30d4f67442 - detected by 6 
out of 46 antivirus scanners as 

HEUR:ExploitJava.CVE-2012-1723.gen 

test.pdf drops MD5: 

51311FDECCD8B6BC5059BE33E0046A27 and MD5: 
72B670F4582BC73C0D05FF506B51B8EB it 

then attempts to obtain the malicious payload from 20 - 

monkeys-b.com/exp/senccute.php? (144.135.8.182) 

Responding to 192.154.103.66 are also the following 
malicious domains: 

snova-vdel-e.com 

mimemimikat. info 

Malicious domain names reconnaissance: 

20-monkeys-b.com - Email: haneslyndsey@yahoo.com 

poople-huelytics.com - Email: brianmyhalyk@yahoo.com 

snova-vdel-e.com - Email: guerin _k@yahoo.com 

mimemimikat.info - Email: xbroshost@live.com 

More domains share the same exploitation directory 
structure (agencept.php?vialjack=) such as for 
instance: 



hxxp://upd.pes2020. com. ar/up/agencept.php Tvialjack 
%3D219215 

hxxp://upd. typescript, com. ar/up/agencept.php ? 
vialjack=219215 

hxxp://4ad32203. dyndns. info/agencept.php ? 
vialjack=428181 

hxxp://4ad34364. dyndns. info/agencept.php ? 
viaijack=428181 

hxxp://4ad28306. dyndns. info/agencept.php ? 
viaijack=428181 

hxxp://4ad23745. dyndns. info/agencept.php ? 
viaijack=428181 

hxxp://4ad96968. dyndns. info/agencept.php Tviaijack 
%3D428181 

hxxp://4ad21321. dyndns. info/agencept.php ? 
viaijack=428181 

The same email (xbroshost@live.com) is also known 
to have registered the following phishing domains in 

the past: 

hxxp://www. reaitorvie wproperties. info/reaitorjj/index. htm 
hxxp://www. usaindependentmerchids. com 
hxxp://www. usamerchandiseinc. com/ 
hxxp://www.biogconsciente. com/ secadmin/eLogin.php 



Although the cybercriminal/gang of cybercriminals behind 
this campaign applied basic OPSEC practices to it, 

the fact that the C &C/malicious payload acquisition 
strategy is largely centralized, (thankfully) indicates a 
critical flaw in their mode of thinking. 

This post has been reproduced from [llJDancho 
Danchev's biog. Follow him [12]on Twitter. 
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Dissecting NBC's Late Night with Jimmy Fallon Web 
Site Compromise (2013-03-07 00:52) 

[1] Oops, they did it again! 

The official Web site ( 

hxxp://www.latenightwithjimmyfalion.com ) of 

[2] NBC's Late Night With Jimmy Fallon is currently 

[3] compromised/hacked and is automatically serving 
multiple Java exploits to its visitors through a tiny iFrame 
element embedded on the front page. According to 

[4] Google's Safe Browsing Diagnostic page, the same 

malicious iFrame domain that affected the Web site, is also 
known to have affected 15 more domains. 












Let's dissect the campaign, expose the complete domains 
domains portfolio used in the campaign, reproduce 


the malicious payload, and establish a direct connection 
between this campaign, and a series of phishing campaigns 

that appear to have been launched by the same 
cybercriminal/gang of cybercriminals. 

Sample 

client-side 

exploitation 

chain: 

hxxp://20-monkeys-b. com/exp/agenceptphp ? 
vialjack=339214 


144.135.8.182; 192.154.103.66 -> hxxp://20-monkeys- 
b. com/exp/tionjettphp 

Although the currently embedded iFrame domain is offline, 
we know that on 2013-03-06 17:02:35 it used to 

respond to 192.154.103.66. We've got several malicious 
domains currently parked at the same IP and respon- 

ing, allowing us to obtain the malicious payload used in the 
campaign affecting NBC's Web site. Upon further 

examination, the obtained malicious PDF used in the 
campaign, also attempts to connect to the initial iFrame do- 



main (20-monkeys-b.com), proving that the domains are 
operated by the same cybercriminal/gang of cybercriminals. 

Sample exploitation chain for a currently active 
malicious domain responding to 192.154.103.66: 

hxxp://poople- 
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huelytics. com/exp/agencept.php?vial]ack=694842 -> 
hxxp://poople-huelytics. com/exp/addajapa/jurylamp.jar -> 
hxxp://poople-huelytics. com/exp/addajapa/ptlyable.jar -> 
hxxp://poople-h uelytics. com/exp/jectrger php 

Sample client-side exploits served: [5] CVE-2013-0431; 
[6] CVE-2012-1723-, [7] CVE-2010-0188 

Sample detection rates for the reproduced malicious 
payload: 

test.pdf - [8]MD5: 

013ed8ef6d92cfe337d9d82767f778da - detected by 10 
out of 46 antivirus scanners as 

PDF:Exploit.PDF-JS.VU 

jurylamp.jar - [9]MD5: 

dcba86395938737b058299b8e22b6d65 - detected by 7 
out of 46 antivirus scanners as 

Exploit:Java/CVE-2013-0431 

ptiyable.jar - [10]MD5: 

2446aa6594fc7935cal3bl30d4f67442 - detected by 6 
out of 46 antivirus scanners as 


HEUR:Exploit.Java.CVE-2012-1723.gen 



test.pdf drops MD5: 

51311FDECCD8B6BC5059BE33E0046A27 and MD5: 
72B670F4582BC73C0D05FF506B51B8EB it 

then attempts to obtain the malicious payload from 20 - 

monkeys-b.com/exp/senccute.php? (144.135.8.182) 

Responding to 192.154.103.66 are also the following 
malicious domains: 

snova-vdel-e.com 

mimemimikat. info 

Malicious domain names reconnaissance: 

20-monkeys-b.com - Email: haneslyndsey@yahoo.com 

poople-huelytics.com - Email: brianmyhalyk@yahoo.com 

snova-vdel-e.com - Email: guerin _k@yahoo.com 

mimemimikat.info - Email: xbroshost@live.com 

More domains share the same exploitation directory 
structure (agencept.php?vialjack=) such as for 
instance: 

hxxp://upd.pes2020. com. ar/up/agencept.php Tvialjack 
%3D219215 

hxxp://upd. typescript, com. ar/up/agencept.php ? 
viaijack=219215 

hxxp://4ad32203. dyndns. info/agencept.php ? 
viaijack=428181 



hxxp://4ad34364. dyndns. info/agencept.php 7 
vialjack=428181 

hxxp://4ad28306. dyndns. info/agencept.php ? 
vialjack=428181 

hxxp://4ad23745. dyndns. info/agencept.php ? 
viaijack=428181 

hxxp://4ad96968. dyndns. info/agencept.php Tviaijack 
%3D428181 

hxxp://4ad21321. dyndns. info/agencept.php ? 
viaijack=428181 

The same email (xbroshost@live.com) is also known 
to have registered the following phishing domains in 

the past: 

hxxp://www. reaitorvie wproperties. info/reaitorjj/index. htm 

hxxp://www. usaindependentmerchids. conn 

hxxp://www. usamerchandiseinc. com/ 

hxxp://www.biogconsciente. com/ secadmin/eLogin.php 

Although the cybercriminal/gang of cybercriminals behind 
this campaign applied basic OPSEC practices to it, 

the fact that the C &C/malicious payload acquisition 
strategy is largely centralized, (thankfully) indicates a 
critical flaw in their mode of thinking. 
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Summarizing Webroot's Threat Blog Posts for March 
(2013-04-01 21:37) 

The following is a brief summary of all of my posts at 
Webroot's Threat Blog for March, 2013. You can subscribe to 

[l]Webroot's Threat Blog RSS Feed, or follow me on 
Twitter: 

01. [2]New DIY IRC-based DDoS bot spotted in the wild 

02. [3]Cybercriminals release new Java exploits centered 
exploit kit 

03. [4]Segmented Russian "spam leads" offered for sale 

04. [5]New DIY hacked email account content grabbing tool 
facilitates cyber espionage on a mass scale 

05. [6]New DIY unsigned malicious Java applet generating 
tool spotted in the wild 

06. [7]Commercial Steam 'information harvester/mass 
group inviter' could lead to targeted fraudulent campaigns 

07. [8]Fake BofA CashPro 'Online Digital Certificate" 
themed emails lead to malware 


08. [9]Spamvertised BBB 'Your Accreditation Terminated” 
themed emails lead to Black Hole Exploit Kit 

09. [10]New ZeuS source code based rootkit available for 
purchase on the underground market 

10. [ll]Cybercriminals resume spamvertising 'Re: Fwd: 
Wire Transfer' themed emails, serve client-side exploits and 

malware 

11. [12]Cybercrime-friendly community branded 
HTTP/SMTP based keylogger spotted in the wild 

12. [13]Hacked PCs as 'anonymization stepping-stones' 
service operates in the open since 2004 

13. [14]Fake 'CNN Breaking News Alerts' themed emails 
lead to Black Hole Exploit Kit 

14. [15]Spotted: cybercriminals working on new Western 
Union based 'money mule management' script 

15. [16]Malicious 'BBC Daily Email' Cyprus bailout themed 
emails lead to Black Hole Exploit Kit 

16. [17]'ADP Payroll Invoice' themed emails lead to 
malware 

17. [18]'Terminated Wire Transfer Notification/ACH File ID” 
themed malicious campaigns lead to Black Hole Exploit 

Kit 

18. [19]New DIY RDP-based botnet generating tool leaks in 
the wild 



19. [20]A peek inside the EgyPack Web malware 
exploitation kit 

This post has been reproduced from [21]Dancho 
Danchev's biog. Follow him [22]on Twitter. 
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Historical OSINT -The "BadB International" 
Cybercrime Enterprise (2013-04-10 21:53) 

[l]BadB is the nickname of Vladislav Anatolievich 
Horohorin, a high profile carder, who eventually [2]got 
busted in France in 2010. This month, he was 


































[3]sentenced to serve 88 months in prison, ordered to 
pay $125,739 in 


restitution, and sentenced to two years of supervised 
release. 

In the wake of these events, I decided to release some raw 
OSINT data regarding BadB's official Web site, 

hxxp://badb. biz. 
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Related URLs: hxxp.V/badb.biz; hxxp://badb.org; 
hxxp://dumps. name 

Emails: 

badb4cc@yahoo.com; 
metaksa _s@yahoo.com; 
support@agava.com; 
admin@agava.com; 
ad- 

mi n@carderplanet. biz 
ICQ: 49162552 

Phone number: -1-19522325532 (Working according to 
BadB in 2009) 

IP hosting history for badb.biz from 2005 to 2010 in 
the format (initial hosting IP -> IP change detected 


to a 


new IP): 

217.107.212.115 -> 64.202.167.129 
64.202.167.129 -> 217.107.212.115 
217.107.212.115 -> 217.107.212.9 
217.107.212.9 -> 89.108.66.104 
89.108.66.104 -> 68.178.232.99 
68.178.232.99 -> 89.108.66.104 
88 

216.8.177.23 -> 78.109.18.150 
78.109.18.150 -> 196.32.222.9 
89.108.73.117 - >94.75.221.75 
94.75.221.75 -> 92.241.164.92 

Sample Abous Us section description from badb.biz: 

We are independent e-commerce security investigation 
group. We are heip e-commerce organisations such as Visa, 

Mastercard, regionai processings and other e-commerce 
structures to understand how vuinerabie they are. We are 

not connected to any crimminai structures, not performing 
any outiaw actions by ourseives, not seiiing drugs, not 


sendinding any spam, not connected to any child porno, not 
supporting terrorists itselves nor terrorist organisations. 

If you received any spam from us - this is a fake of our 
enemies we are never use spam to promote our site. All 

information you can read here provided "As Is" and only for 
educational purposes. AH articles are copyrighted, if you 89 

wish to take any part of information from here - please 
reffer to origination site. All we do - is we have for sale 
some dumps, cvvs and cobs - just for experemental 
purposes of our custommers;-) We listen and effectively 
respond to your 

needs and those of your clients. We are experts at 
translating those needs into marketing solutions that work, 
look 

great and communicate well. Each day brings increased 
opportunity to increase business in current as well as new. 

This case is a great example of a simple fact - with or 
without BadB, [4]the market for stolen credit cards 

data, continued growing throughout the entire 2011. 

Then in 2012, we witnessed two law enforcement 
operations, 

courtesy of [5]SOCA, and the [6]FBI. However, despite 
these efforts, the market for stolen credit cards data remains 
as vibrant as always. 

Thanks to the [7]standardization taking place in 
respect to the money mule recruitment process, as 

well as 



the nearly identical online shops for stolen credit cards data, 
those who cannot "cash out" the balances of the credit 
cards, will choose to [8]risk-forward the selling process to 
the buyers of the stolen data. The rest, will basically 
continue looking for more efficient, automatic, and 
anonymous ways to get access to the stolen money, 
continuing 

to rely on money mules of virtual currencies. 

This post has been reproduced from [9]Dancho 
Danchev's biog. Follow him [10]on Twitter 
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Historical OSINT -The "BadB International" 
Cybercrime Enterprise (2013-04-10 21:53) 

[l]BadB is the nickname of Vladislav Anatolievich 
Horohorin, a high profile carder, who eventually [2]got 
busted in France in 2010. This month, he was 
[3]sentenced to serve 88 months in prison, ordered to 
pay $125,739 in 

restitution, and sentenced to two years of supervised 
release. 

In the wake of these events, I decided to release some raw 
OSINT data regarding BadB's official Web site, 

hxxp://badb. biz. 
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Related URLs: hxxp.V/badb.biz; hxxp://badb.org; 
hxxp://dumps. name 

Emails: 

badb4cc(a)yahoo.com; 
metaksa _s@yahoo.com; 





sup port (a)ag ava.com; 

admin@agava.com; 

ad- 

mi n@carderplanet. biz 
ICQ: 49162552 

Phone number: -1-19522325532 (Working according to 
Bade in 2009) 

IP hosting history for badb.biz from 2005 to 2010 in 
the format (initial hosting IP -> IP change detected 
to a 

new IP): 

217.107.212.115 -> 64.202.167.129 
64.202.167.129 -> 217.107.212.115 
217.107.212.115 -> 217.107.212.9 
217.107.212.9 -> 89.108.66.104 
89.108.66.104 -> 68.178.232.99 
68.178.232.99 -> 89.108.66.104 
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216.8.177.23 -> 78.109.18.150 


78.109.18.150 -> 196.32.222.9 


89.108.73.117 - >94.75.221.75 


94.75.221.75 -> 92.241.164.92 

Sample Abous Us section description from badb.biz: 

We are independent e-commerce security investigation 
group. We are heip e-commerce organisations such as Visa, 

Mastercard, regionai processings and other e-commerce 
structures to understand how vuinerabie they are. We are 

not connected to any crimminai structures, not performing 
any outiaw actions by ourseives, not seiiing drugs, not 

sendinding any spam, not connected to any chiid porno, not 
supporting terrorists itseives nor terrorist organisations. 

if you received any spam from us - this is a fake of our 
enemies we are never use spam to promote our site. Aii 

information you can read here provided "As is" and oniy for 
educationai purposes. Aii articies are copyrighted, if you 93 

wish to take any part of information from here - piease 
reffer to origination site. Aii we do - is we have for saie 
some dumps, cvvs and cobs - just for experementai 
purposes of our custommers;-) We iisten and effectiveiy 
respond to your 

needs and those of your ciients. We are experts at 
transiating those needs into marketing soiutions that work, 
iook 

great and communicate weii. Each day brings increased 
opportunity to increase business in current as weii as new. 



This case is a great example of a simple fact - with or 
without BadB, [4]the market for stolen credit cards 

data, continued growing throughout the entire 2011. 

Then in 2012, we witnessed two law enforcement 
operations, 

courtesy of [5]SOCA, and the [6]FBI. However, despite 
these efforts, the market for stolen credit cards data remains 
as vibrant as always. 

Thanks to the [7]standardization taking place in 
respect to the money mule recruitment process, as 

well as 

the nearly identical online shops for stolen credit cards data, 
those who cannot "cash out" the balances of the credit 
cards, will choose to [8]risk-forward the selling process to 
the buyers of the stolen data. The rest, will basically 
continue looking for more efficient, automatic, and 
anonymous ways to get access to the stolen money, 
continuing 

to rely on money mules of virtual currencies. 

1. http://www.youtube.com/watch?v=9v4ii i OXGe a 

2. http://www.wired.eom/threatlevel/2010/08/badb/ 

3. http://www. i ustice. a ov/opa/pr/2013/April/13-crm- 
386.html 

4. http://ddanchev.blo as pot.eom/2011/10/exposin a -market- 
for-stolen-credit-cards.html 

5. http://www.soca. a ov.uk/news/446-web-domains-seized-in- 
international-operation-to-tar a et-on line-fraudsters 






















6. http://www.zdnet.com/blo a /securitv/24-cvbercriminals- 
arrested-in-operation-card-shop/12435 


7. http://ddanchev.blo as pot.eom/2009/10/standardizin a- 
monev-mule-recruitment.html 

8. http://blo a .webroot.eom/2013/03/22/spotted- 
c vbercriminals-workin a -on-new-western-union-based- 
monev-mule-m 

ana a ement-scri ot/ 
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What's the ROI on Going to a Virtual Blackhat SEO 
School? (2013-04-17 23:45) 

For years, fraudulent or [l]purely malicious actors have 
been abusing the online advertising market, by [2]directly 
hijacking and redirecting [3]the revenue flow, or by 
[4]successfully and efficiently hijacking as much 
percentage of legitimate search traffic as possible, and 
monetizing it through the use of [5]blackhat SEO (search 
engine 

optimization) tactics/shady affiliate networks. 

[6]Monetizing the very monetization process? 

Standardizing the revenue generation, and knowledge 
spreading 

streams, achieving efficiencies in the process, and directly 
contributing to a new, this time better trained/educated 

generation of Blackhat SEO-ers? Someone he's knowingly or 
unknowingly on a mission. A mission with a brand. 






















In this post, I'll profile a highly successful [7]blackhat SEO 
'school" that promises the Moon, but asks for noth-ing 
except $1,000 for the training course, which will turn you 
into a sophisticated blackhat SEO expert, netting you 

huge amounts of money. 

Operating in the open since 2010, the service is currently 
(2013) asking for $350, presumably to keep the new 

customers flow going. Since it's initial launch data, the 
business model has been relying on a loyal set of people 
who 

already "took" the course, and continue making money up 
to present day. A loyalty and happy customer "feedback" 

best demonstrated by featuring exclusive screenshots 
courtesy of the happy customers. 

Initial forum advertisement: 
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Welcome to the forum millionaires! So, I decided, now I will 
welcome the new students. 

And you know why? 

My course, and our forum for more than two years, and 
during that time has accumulated a huge pile of re¬ 
views with the statistics. Wondered how many of my 
students have earned over 2 years on my course? 

And it turned out that except cars, apartments, purely 
according to PP, pupils together earned 17 million rubles! 
And 



it is oniy those who have shown their statistics. And I think 
in 2 years they couid make a few more miiiions. (Figure 

is siightiy inaccurate to 9 iines in a notebook I got tired and 
started to round + decided not to take into account the 
3,000,000 earnings per pupii) 

in two years, we have made dozens of miiiionaires in 
Russia, Ukraine and Beiarus Their iives changed immedi- 

ateiy, as soon as they hit the famiiy Peopie sitting in debt in 
a few months to buy a new car. 

Peopie are sitting at their desks yesterday brought home 
two monthiy saiaries parents, and expiained that it is 

unashamediy from the Internet, it is their earnings! 

Peopie who are already my course have been very 
successful become even more successful. The forum is sta¬ 
ble enough people who earn a day 50-60 thousand rubles. 
This is not theoretical, not uncle in suits, this is the same 

young guys like you or me. 

Although I must admit, the forum is and uncle in suits for 
30-40 years, primarily to get through doorways capi¬ 
ta! to support their business. 

And all these people realize that they are family, friends, 
and they willingly associate, dividing their experi¬ 
ences, secrets! Access to the course - it is a unique 
opportunity to touch the thought of successful people, to 
breathe the same air with them, get their energy and join 
the ranks of millionaires. 



As early as the year, the forum has two tech support, and 
username, people are few easy counseled hundreds 

of students and even If they did not do dory - would know 
what the perfect doorway 

BUT! They do work, make Dora always advise how to make 
your doorway even better answer the most stupid 

question, and will lead to the most stable earnings. 

Now, If you are reading these lines and think that $ 1000 for 
access and the opportunity to become a million¬ 
aire In 24\7 support from a support, for the opportunity to 
be In the new family Is expensive, I never selling you 
access. 

We need people who value themselves, their money and 
time. If $ 1,000 seems to you a great price, then you 

will never become a millionaire from the Internet and you 
simply do not want my family 

Imagine you paid $ 1,000 In the bank say, come back every 
day to ask questions and get a month - $ 100,000, 

It Is tempting? Here's a bank - this Is our forum. And 80 
pages of reviews stands surety for this bank. 

You may think, but what for me Is all good topic no one will 
sell! 

And I grieve you. It's not the topic, not the scheme, not the 
holy grail. It's work. Work by a support forum and 

make It so simple that you will forget the times when you 
have not worked with doorways. 



A successful guys will charge you so much energy that the 
work will be for you the best thing in life. You're going to 
sleep at 4:00, waking up in the middle of the night with 
burning eyes, watch as your dorveychiki live there, and how 
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many thousands have already dripped while you were 
sleeping. 

Through it all the disciples, and I think they would give, and 
10 and 100 thousand dollars to get through it again. 

But there is a dump in a Public Forum, everything is - you 
say. 

And I'll tell you the story of how one day I lost the backup of 
offline and restored the forum 15 minutes ago 

from what it was last time. And it was a huge mistake! Lost 
about 50 messages, 12 topics and 5-6 blog posts! The 

disciples were indignant. On our forum mad update rate, 
and dump the last year and the relevance of information 

out there already in negative degrees and I am afraid that 
only harms doorways. 

But I can learn myself! Yes you can, spend a few years on 
independent learning. 

And you can put a time out and spend $ 1000 on an active 
training week and immediately makes the door¬ 
ways correctly. Once again, we are waiting for our club 
anonymous millionaires of people who know the value of 



money and his own time, who want to invest in yourseif, 
earn, and not break your head against the waii, when there 

are peopie who wiil show how to get around. 

Course can be purchased on the preiiminary interview in 
iCQ price - $ 1000. 

And remember, we are, we need speciai peopie, very few of 
them, they are peopie who are wiiiing to invest in 

yourseif and do not try to save yourseif cheapiy though. So I 
throw in ICQ to ignore anyone who asks me for a discount or 
credit. I understand that in spite of the 80-page review, you 
may be unsure if it wiii work with you. Therefore, we give a 
new guarantee manibeka. If two weeks you feel - that 
doorway - it's not yours, we wiii refund the money and 

pay the top 5 miiiion rubies, for what you have spent your 
time! 

Frequently Asked Questions (FAQ) 

Good day, and now its time to answer aii the questions a 
novice who wants to buy a course to dot the i, made to 

understand that he buys, he wiii get what may 
dobitsya.Nus's begin. 

l.Chem we do? 

Black seo.Dorvei.Dory are very flexible and tenacious tool 
for earnings, its flexibility due to the variety of topics 

and types of monetization, and vitality - the existence of PS, 
and how long will exist as long as the search engines 



will be using dory. We produce traffic, ie the users, ie the 
people, the traffic is the blood in the veins of the internet, 
and this is the main advantage that dorveyschik unlike 
white SEOs can in a short time to break a lot more traffa a 

completely different subjects and to merge it back where it 
needs . in a simple version of all is: 

1. Registriruemsya an affiliate program, it gives you the 
choice of partner sites of some topics (topics vary from porn 
and finishing all kinds of divination), statistics (to track 
kollvo coming to your site, paid for kollvo, Colva who have 
come again). 

2. Delaem doorway, we find: 

- Thematic traffistye quality keys (which are appropriate to 
the site subject we took from PP) 

- Template 

- Text 

AH this is described in detail in the course and on the forum. 

3. Zalivaem doorway to shell 

4. Zhdem 4.3 apa (an - update Yandex search results, also 
known as SERP, quite by chance, usually up to one week, 

sometimes more) 

5. Poluchaem traff and accordingly money. 

Well this is just a simple and obvious option, work with SMS 
affiliate, to start - the fact that many small minded people 
to talk about the thousandth time of death doorways as 



income. Just because of the changes in the SMS payment, 
it's 
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wrong, it's stupid, it's seif-deception to deceive drugih.l as, 
say, we have iearned to produce traffic, our traffic started to 
give Dora and now we have to redirect it somewhere ie 
merge and convert / convert into money, a iot of options: 

1. Partnerki with sms payment, the most obvious and as I 
wrote the best option to start. 

2. Partneri<i pay-per-downioad and instaii the fiie, such PP a 
iot, and they are aii different, from the fact that you are 
paying for the jump and the maiicious Trojan or whether 
something iike that, to quite formai type of games WORLD 

of-tanks, Yandex bars etc. and tp.lmeya iarge amounts of 
traffic (which is the second task dorveyschika, increase the 

voiume of traffic) in the first and in the second option 
hoiders PP wiii take you with open arms and make bonuses. 

3.5voi oniine shopping and piatniki. V this topic a iittie 
feedback from these guys, as many prefer to work with SMS 

and other PP, but byvaii.Odin met some of the students at 
comrade serche, he did an Internet jewelry store and the 

problem was my student in the production of traffic, he 
quickly picked up, done and grabbed a piece of the profit. 

AH that I wrote just for you to understand, I teach mine 
traffic, targeted traffic from search engines, I would suggest 
the best methods of monetization, by which usually fight off 
the course, but never forget that you have a great 



opportunity to go and grab a piece of the traffa on desired 
topics with Yandex and merge where necessary 

2. Navemoe topic died, bought her so much, so iong 
existed, much is competition? 

i am for aii the time of saie of the course has experienced 
the death of a thousand and one as the reward 

scheme, but that's amazing, for some reason aii those who 
want to - successfuiiy earn dorah.Chto for competition - 

in dorah very high turnover, nameiy Dora aiways fly into the 
index ( Yandex search) and flew over, it's aii backed by 

the characteristic features of the behavior dorveyschika and 
dorveyschik often tasting dough, he realized how easily 

make dory, does pack and walk yourself getting denyuzhki, 
leaving room for other results. 

3. Zac hem you seii? 

That's what I do - called infobiznesom admit, when all this 
started, I such a word and znai.Est two concepts, 

with which you can ever accurately explain the infobiznesa, 
information and insider information autsayder.Kogda- 

long ago, when I was dramas and gathering information 
about them bit by bit on various forums -1 was an outsider, 

I was not available methods that can quickly lead to 
success, and everything had to be found by experiment, my 
first 

income from went after 3 months and a naked enthusiasm 
nadezhdyPokupaya course you get insider information. 



which is caiied the bat, straight to the kitchen where 
everything is cooked, i do not seii super fiow sheet, i oniy 
give an opportunity and take it for a fee, seii their time and, 
in recent years, more and more nerves, which is why, in 
order to maintain this non-renewabie resource, and i wrote 
it, do not be iazy, read. 

4.Kak guarantee that / Otobaya course? 

No! Absoiuteiy! Absoiuteiy no. When we first started seiiing 
rate - whiie i was stiii abie to provide guarantees 

to score reviews, to prove to everyone that the theme 
works, but now - no, no way! Your warranty - you, your 
desire, 

hard work, commitment - that guarantee it, ! can not 
guarantee anything i can not and wii! not, often when a 
person 

writes me word guarantee, he wants me to take 
responsibiiity for his iazy ass over - No, i'm sorry 

B.Malenky advice, how to effectively master the 
course and see if it fits you at all. 

My experience iearning heaps different peopie, stiii divided 
them into two types, this is a huge difference, the 

gap between the two approaches to iearning, resuits in a 
huge gap in the success of these students. 

The first type: peopie with pure siave mentaiity, they need 
to stick, do not expiain, do not need to seek understanding, 
just poke, push there, dick here. 



How he thinks: Suppose we make a template for Dora, and 
we need to write deksripshen, deskripshen - description of 

the site which comes out at the bottom under the link, his 
task - to give information about the page and encourage 

people to move to tyknut ie sayt.On asks me what write 
here, I explain what it is and I say write something that 
would please you, and you would make pereyti.On in a 
stupor, he can not think and can not even offer the option, 
he just 
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wants me to tell him that there napisat.Eto not right! 

The second type: The second type is often trying to 
organize all the information in the first place to understand 
how 

things work, and there are already having a solid foundation 
and framework - to batter me with questions and to 

increase their knowledge, for example of the first type, the 
second type, after hearing deskripshen what and why it is, 
would compare with my examples and offered his 
variant. Vot so you have to be, if you're so - I'll be glad to 
have you 

in the ranks of students. 

6. Tsena huge! Tc asshole, the course did not buy, but 
it's an asshoie! Reviews deiete it! 

Do not like the price - do not buy it, no one vparivaet, there 
is no hint of the imposition of the course, under 



the gun more so no one makes pokupat.Golye hit and 
conclusions about the course of those who did not buy it - 

please do not post, I immediately call the moderators, all is 
removed, how can you talk about the course, not having 

been on F5U How we can talk about what you do not know, 
if you were not in the motivation section on the forum 

where dozens of success stories of students? I bought the 
course, learned, wrote otzyv.Ya a moderator section only 

CEO and section on "Work" where this topic -1 can not 
moderate. 

7. What / receive after payment? 

Education - after payment receive video / txt + access to 
the forum, watch / read/ do, have questions - ask, 

discuss - send to the forum, no - rasskazyvayu.Esli you read 
the topic that many people write that the chip in 

the forum, unnecessarily there is a lot of relevant info and 
all you happy pomoch. Ves free software data - paid 

counterparts shown in forume.Dostup forum and 
consultations Asik - unlimited. 

S.Skoiko need to successfully quick Start? 

Then (in a week or another) will need $ 10-20 for vpn (both 
analog proxy / socks or Dedicated Server) and 

200-300 rubles for glanders. 

9.Kak Otobaya fast I / osvoyu course? 



Everything is individuai, caicuiate and even about to say (to 
you) this time period may depend both on the 

human factor (your knowiedge, experience) and on Yandex, 
which is quite nepredskazuem.Osnovyvayas on the 

experience of previous students gives dor $ 200 4 up to 30 
days after the pubiication of indeks.3-4 apa usuaiiy ciimbs 
Dor ups are compieteiy random, iook here 
http://seobudget.ru/updates iabeied SERF. 

10. Rynok forum - 

in our forum, which you can access after purchase - there is 
a market, as in any other forum, it is an integrai 

part of the forum who wants to iive, and in the end we are 
aii in this forum for one reason - we aii want to make 

money someone eise has earned, someone just nachinaet. V 
Uniike other forums - the market for FSU controiiing me, 

he monopoiizirovan. Kursy of its kind in the forum - i oniy 
seii and no other, their commerciai activities in the forum - 

with me coordinate is not necessary, but if it is removed - so 
she does not beiong here. 

Screenshots provided by actual customers of the 
service, featuring its primary ICQ contact point: 
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Blackhat SEO - it doesn't just pay the bills. 

This post has been reproduced from [8]Dancho 
Danchev's blog. Follow him [9]on Twitter. 

1 . httD://www.av-test.or a /fileadmin/Ddf/avtest_2013- 
03_search_en a ines_malware_en a lish.Ddf 








2. httD://ddanchev.blo as DOt.com/2010/07/samDlin a- 
malicious-activitv-inside.html 


3. httD://www.zdnet.com/blo a /securit v/c vbercriminals- 
Dromotin a -malware-friendlv-search-en a ines/3333 

4. httD://www.zdnet.com/blo a /securitv/botnets-committin a- 
click-fraud-observed/1200 

5. httDs://www. a oo a le.com/#outDut=search&sclient= Dsv- 
ab&a=site:ddanchev.blo as DOt.com+%22blackhat+seo%22 
&oa=si 


te:ddanchev.blo as DOt.com+%22blackhat+seo%22& a s_l = 

6. httD://ddanchev.blo as DOt.com/2009/06/Deek-inside- 
mana a ed-blackhat-seo.html 

7. httDs://www. a oo a le.com/#outDut=search&sclient= Dsv- 
ab&a=site:ddanchev.blo as Dot.com+blackhat+seo 

8. httD://ddanchev.blo as DOt.com/ 

9. httD://twitter.com/danchodanchev 
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What's the ROI on Going to a Virtual Blackhat SEO 
School? (2013-04-17 23:45) 

For years, fraudulent or [l]purely malicious actors have 
been abusing the online advertising market, by [2]directly 
hijacking and redirecting [3]the revenue flow, or by 
[4]successfully and efficiently hijacking as much 
percentage of legitimate search traffic as possible, and 










































monetizing it through the use of [5]blackhat SEO (search 
engine 

optimization) tactics/shady affiliate networks. 

[6]Monetizing the very monetization process? 

Standardizing the revenue generation, and knowledge 
spreading 

streams, achieving efficiencies in the process, and directly 
contributing to a new, this time better trained/educated 

generation of Blackhat SEO-ers? Someone he's knowingly or 
unknowingly on a mission. A mission with a brand. 

In this post. I'll profile a highly successful [7]blackhat SEO 
'school" that promises the Moon, but asks for noth-ing 
except $1,000 for the training course, which will turn you 
into a sophisticated blackhat SEO expert, netting you 

huge amounts of money. 

Operating in the open since 2010, the service is currently 
(2013) asking for $350, presumably to keep the new 

customers flow going. Since it's initial launch data, the 
business model has been relying on a loyal set of people 
who 

already "took" the course, and continue making money up 
to present day. A loyalty and happy customer "feedback" 

best demonstrated by featuring exclusive screenshots 
courtesy of the happy customers. 

Initial forum advertisement: 


120 



Welcome to the forum millionaires! So, / decided, now I will 
welcome the new students. 

And you know why? 

My course, and our forum for more than two years, and 
during that time has accumulated a huge pile of re¬ 
views with the statistics. Wondered how many of my 
students have earned over 2 years on my course? 

And it turned out that except cars, apartments, purely 
according to PP, pupils together earned 17 million rubles! 
And 

it is only those who have shown their statistics. And I think 
in 2 years they could make a few more millions. (Figure 

is slightly inaccurate to 9 lines in a notebook I got tired and 
started to round -h decided not to take into account the 
3,000,000 earnings per pupil) 

in two years, we have made dozens of millionaires in 
Russia, Ukraine and Belarus Their lives changed immedi¬ 
ately, as soon as they hit the family. People sitting in debt in 
a few months to buy a new car. 

People are sitting at their desks yesterday brought home 
two monthly salaries parents, and explained that it is 

unashamedly from the Internet, it is their earnings! 

People who are already my course have been very 
successful become even more successful. The forum is sta¬ 
ble enough people who earn a day 50-60 thousand rubies. 
This is not theoretical, not uncle in suits, this is the same 



young guys like you or me. 

Although I must admit, the forum is and uncle in suits for 
30-40 years, primarily to get through doorways capi¬ 
ta! to support their business. 

And all these people realize that they are family, friends, 
and they willingly associate, dividing their experi¬ 
ences, secrets! Access to the course - it is a unique 
opportunity to touch the thought of successful people, to 
breathe the same air with them, get their energy and Join 
the ranks of millionaires. 

As early as the year, the forum has two tech support, and 
username, people are few easy counseled hundreds 

of students and even if they did not do dory - would know 
what the perfect doorway. 

BUT! They do work, make Dora always advise how to make 
your doorway even better answer the most stupid 

question, and will lead to the most stable earnings. 

Now, if you are reading these lines and think that $ 1000 for 
access and the opportunity to become a million¬ 
aire in 24\7 support from a support, for the opportunity to 
be in the new family is expensive, I never selling you 
access. 

We need people who value themselves, their money and 
time, if $ 1,000 seems to you a great price, then you 

will never become a millionaire from the internet and you 
simply do not want my family. 



Imagine you paid $ 1,000 in the bank say, come back every 
day to ask questions and get a month - $ 100,000, 

it is tempting? Here's a bank - this is our forum. And 80 
pages of reviews stands surety for this bank. 

You may think, but what for me is aii good topic no one will 
seii! 

And / grieve you, it's not the topic, not the scheme, not the 
holy graii, it's work. Work by a support forum and 

make it so simple that you will forget the times when you 
have not worked with doorways. 

A successful guys will charge you so much energy that the 
work will be for you the best thing in life. You're going to 
sleep at 4:00, waking up in the middle of the night with 
burning eyes, watch as your dorveychiki live there, and how 
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many thousands have already dripped while you were 
sleeping. 

Through it all the disciples, and I think they would give, and 
10 and 100 thousand dollars to get through it again. 

But there is a dump in a Public Forum, everything is - you 
say. 

And I'll tell you the story of how one day i lost the backup of 
offline and restored the forum 15 minutes ago 

from what it was last time. And it was a huge mistake! Lost 
about 50 messages, 12 topics and 5-6 blog posts! The 



disciples were indignant. On our forum mad update rate, 
and dump the last year and the relevance of information 

out there already in negative degrees and I am afraid that 
only harms doorways. 

But I can learn myself! Yes you can, spend a few years on 
independent learning. 

And you can put a time out and spend $ 1000 on an active 
training week and immediately makes the door¬ 
ways correctly. Once again, we are waiting for our club 
anonymous millionaires of people who know the value of 

money and his own time, who want to invest in yourself, 
earn, and not break your head against the wall, when there 

are people who will show how to get around. 

Course can be purchased on the preliminary interview in 
ICO price - $ 1000. 

And remember, we are, we need special people, very few of 
them, they are people who are willing to invest in 

yourself and do not try to save yourself cheaply though. So I 
throw in ICQ to ignore anyone who asks me for a discount or 
credit. I understand that in spite of the 80-page review, you 
may be unsure if it will work with you. Therefore, we give a 
new guarantee manibeka. If two weeks you feel - that 
doorway - it's not yours, we will refund the money and 

pay the top 5 million rubles, for what you have spent your 
time! 


Frequently Asked Questions (FAQ) 



Good day, and now its time to answer aii the questions a 
novice who wants to buy a course to dot the i, made to 

understand that he buys, he wiii get what may 
dobitsya.Nus's begin. 

l.Chem we do? 

Biack seo.Dorvei.Dory are very fiexibie and tenacious tooi 
for earnings, its flexibiiity due to the variety of topics 

and types of monetization, and vitaiity - the existence of PS, 
and how iong wiii exist as iong as the search engines 

wiii be using dory We produce traffic, ie the users, ie the 
peopie, the traffic is the biood in the veins of the internet, 
and this is the main advantage that dorveyschik uniike 
white SEOs can in a short time to break a iot more traffa a 

compieteiy different subjects and to merge it back where it 
needs . in a simpie version of aii is: 

1. Registriruemsya an affiiiate program, it gives you the 
choice of partner sites of some topics (topics vary from porn 
and finishing aii kinds of divination), statistics (to track 
koiivo coming to your site, paid for koiivo, Coiva who have 
come again). 

2. Deiaem doorway, we find: 

- Thematic traffistye quaiity keys (which are appropriate to 
the site subject we took from PP) 

- Tern pi ate 

- Text 


Aii this is described in detaii in the course and on the forum. 



S.Zalivaem doorway to shell 


4. Zhdem 4.3 apa (an - update Yandex search results, also 
known as SERF, quite by chance, usually up to one week, 

sometimes more) 

5. Poluchaem traff and accordingly money 

Well this is just a simple and obvious option, work with SMS 
affiliate, to start - the fact that many smaii minded peopie 
to talk about the thousandth time of death doorways as 
income. Just because of the changes in the SMS payment, 
it's 
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wrong, it's stupid, it's self-deception to deceive drugih.l as, 
say, we have iearned to produce traffic, our traffic started to 
give Dora and now we have to redirect it somewhere ie 
merge and convert / convert into money, a lot of options: 

1. Partnerki with sms payment, the most obvious and as I 
wrote the best option to start. 

2. Partnerki pay-per-download and instaii the file, such PP a 
lot, and they are all different, from the fact that you are 
paying for the jump and the malicious Trojan or whether 
something like that, to quite forma! type of games WORLD 

of-tanks, Yandex bars etc. and tp.lmeya large amounts of 
traffic (which is the second task dorveyschika, increase the 

volume of traffic) in the first and in the second option 
holders PP will take you with open arms and make bonuses. 



S.Svoi online shopping and platniki. V this topic a little 
feedback from these guys, as many prefer to work with SMS 

and other PP, but byvali.Odin met some of the students at 
comrade serche, he did an Internet jewelry store and the 

problem was my student in the production of traffic, he 
quickly picked up, done and grabbed a piece of the profit. 

AH that i wrote Just for you to understand, i teach mine 
traffic, targeted traffic from search engines, I would suggest 
the best methods of monetization, by which usually fight off 
the course, but never forget that you have a great 

opportunity to go and grab a piece of the traffa on desired 
topics with Yandex and merge where necessary 

2.Navemoe topic died, bought her so much, so iong 
existed, much is competition? 

I am for all the time of sale of the course has experienced 
the death of a thousand and one as the reward 

scheme, but that's amazing, for some reason all those who 
want to - successfully earn dorah.Chto for competition - 

in dorah very high turnover, namely Dora always fly into the 
index ( Yandex search) and flew over, it's all backed by 

the characteristic features of the behavior dorveyschika and 
dorveyschik often tasting dough, he realized how easily 

make dory, does pack and walk yourself getting denyuzhki, 
leaving room for other results. 


3. Zac hem you seii? 



That's what / do - called Infobiznesom admit, when all this 
started, I such a word and znaI.Est two concepts, 

with which you can ever accurately explain the Infobiznesa, 
Information and Insider Information autsayder.Kogda- 

long ago, when I was dramas and gathering Information 
about them bit by bit on various forums -1 was an outsider, 

I was not available methods that can quickly lead to 
success, and everything had to be found by experiment, my 
first 

Income from went after 3 months and a naked enthusiasm 
nadezhdyPokupaya course you get Insider Information, 

which is called the bat, straight to the kitchen where 
everything is cooked, I do not sell super flow sheet, I only 
give an opportunity and take it for a fee, sell their time and. 
In recent years, more and more nerves, which Is why. In 
order to maintain this non-renewable resource, and / wrote 
it, do not be lazy, read. 

4.Kak guarantee that / Otobaya course? 

No! Absolutely! Absolutely no. When we first started selling 
rate - while I was still able to provide guarantees 

to score reviews, to prove to everyone that the theme 
works, but now - no, no way! Your warranty - you, your 
desire, 

hard work, commitment - that guarantee it, I can not 
guarantee anything / can not and will not, often when a 
person 



writes me word guarantee, he wants me to take 
responsibility for his lazy ass over - No, I'm sorry 

S.Maienky advice, how to effectively master the 
course and see if it fits you at all. 

My experience learning heaps different people, still divided 
them into two types, this is a huge difference, the 

gap between the two approaches to learning, results in a 
huge gap in the success of these students. 

The first type: people with pure slave mentality, they need 
to stick, do not explain, do not need to seek understanding, 
just poke, push there, dick here. 

How he thinks: Suppose we make a template for Dora, and 
we need to write deksripshen, deskripshen - description of 

the site which comes out at the bottom under the link, his 
task - to give information about the page and encourage 

people to move to tyknut ie sayt.On asks me what write 
here, I explain what it is and I say write something that 
would please you, and you would make pereyti.On in a 
stupor, he can not think and can not even offer the option, 
he Just 
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wants me to tell him that there napisat.Eto not right! 

The second type: The second type is often trying to 
organize all the information in the first place to understand 
how 



things work, and there are already having a solid foundation 
and framework - to batter me with questions and to 

increase their knowledge, for example of the first type, the 
second type, after hearing deskripshen what and why it is, 
would compare with my examples and offered his 
variant. Vot so you have to be, if you're so - I'll be glad to 
have you 

in the ranks of students. 

6. Tsena huge! Tc asshole, the course did not buy, but 
it's an asshoie! Reviews deiete it! 

Do not like the price - do not buy it, no one vparivaet, there 
is no hint of the imposition of the course, under 

the gun more so no one makes pokupat.Golye hit and 
conclusions about the course of those who did not buy it - 

please do not post, I immediately call the moderators, all is 
removed, how can you talk about the course, not having 

been on F5U How we can talk about what you do not know, 
if you were not in the motivation section on the forum 

where dozens of success stories of students? i bought the 
course, learned, wrote otzyv.Ya a moderator section only 

CEO and section on "Work" where this topic - i can not 
moderate. 

7. What I receive after payment? 

Education - after payment receive video / txt + access to 
the forum, watch / read/ do, have questions - ask. 



discuss - send to the forum, no - rasskazyvayu.Esli you read 
the topic that many peopie write that the chip in 

the forum, unnecessariiy there is a iot of reievant info and 
aii you happy pomoch. Ves free software data - paid 

counterparts shown in forume.Dostup forum and 
consuitations Asik - uniimited. 

S.Skolko need to successfully quick Start? 

Then (in a week or another) wiii need $ 10-20 for vpn (both 
anaiog proxy / socks or Dedicated Server) and 

200-300 rubies for gianders. 

9. Kak Otobaya fast I / osvoyu course? 

Everything is individuai, caicuiate and even about to say (to 
you) this time period may depend both on the 

human factor (your knowiedge, experience) and on Yandex, 
which is quite nepredskazuem.Osnovyvayas on the 

experience of previous students gives dor $ 200 4 up to 30 
days after the pubiication of indeks.3-4 a pa usuaiiy ciimbs 
Dor ups are compieteiy random, iook here 
http://seobudget.ru/updates iabeied SERF. 

10. Rynok forum. 

in our forum, which you can access after purchase - there is 
a market, as in any other forum, it is an integrai 

part of the forum who wants to iive, and in the end we are 
aii in this forum for one reason - we aii want to make 



money someone else has earned, someone just nachinaet. V 
Unlike other forums - the market for FSU controlling me, 

he monopolizirovan. Kursy of its kind in the forum -1 only 
sell and no other, their commercial activities in the forum - 

with me coordinate is not necessary, but if it is removed - so 
she does not belong here. 

Screenshots provided by actual customers of the 
service, featuring its primary ICQ contact point: 
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Blackhat SEO - it doesn't just pay the bills. 

Updates will be posted as soon as new developments take 
place. 

1. httD://www.av-test.or a /fileadmin/Ddf/avtest_2013- 
03_search_en a ines_malware_en a lish.Ddf 

2. httD://ddanchev.blo as DOt.com/2010/07/samDlin a- 
malicious-activitv-inside.html 

3. httD://www.zdnet.com/blo a /securit v/c vbercriminals- 
oromoti n o -mal ware-friend lv-search-en a ines/3333 

4. httD://www.zdnet.com/blo a /securitv/botnets-committin a- 
click-fraud-observed/1200 

5. httDs://www. a oo a le.com/#outDut=search&sclient= Dsv- 
ab&a=site:ddanchev.blo as Dot.com-i-%22blackhat-i-seo%22 
&oa=si 


te:ddanchev.blo as DOt.com-i-%22blackhat-i-seo%22& a s_l = 

6. httD://ddanchev.blo as Dot.com/2009/06/Deek-inside- 
mana a ed-blackhat-seo.html 







































7. httDs://www. a oo a le.com/#outDut=search&sclient= Dsv- 
ab&a=site:ddanchev.blo as Dot.com+blackhat+seo 
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Summarizing Webroot's Threat Blog Posts for April 
( 2013 - 05-01 14 : 32 ) 

The following is a brief summary of all of my posts at 
Webroot's Threat Blog for April, 2013. You can subscribe to 

[IJWebroot's Threat Blog RSS Feed, or follow me on 
Twitter: 

01 . [2]DIY Java-based RAT (Remote Access Tool) spotted in 
the wild 

02 . [3]Spamvertised 'Re: Changelog as promised' themed 
emails lead to malware 

03 . [4]Cybercrime-friendly service offers access to tens of 
thousands of compromised accounts 

04 . [5]Madi/Mahdi/Flashback OS X connected malware 
spreading through Skype 

05 . [6]Cybercriminals selling valid 'business card' data of 
company executives across multiple verticals 








06 . [7]A peek inside the 'Zerokit/Okit/ringO bundle' bootkit 

07 . [8]DIY Skype ring flooder offered for sale 

08 . [9]Spamvertised 'Your order for helicopter for the 
weekend' themed emails lead to malware 

09 . [10]A peek inside a 'life cycle aware' underground 
market ad for a private keylogger 

10 . [ll]American Airlines 'You can download your ticket' 
themed emails lead to malware 

11 . [12]Cybercriminals offer spam-friendly SMTP servers for 
rent 

12 . [13]How mobile spammers verify the validity of 
harvested phone numbers - part two 

13 . [14]A peek inside a (cracked) commercially available 
RAT (Remote Access Tool) 

14 . [15]DIY Russian mobile number harvesting tool spotted 
in the wild 

15 . [16]DIY SIP-based TDoS tool/number validity checker 
offered for sale 

16 . [17]CAPTCHA-solving Russian email account 
registration tool helps facilitate cybercrime 

17 . [18]Historical OSINT - The 'Boston Marathon explosion' 
and 'Fertilizer plant explosion in Texas' themed malware 146 

campaigns 

18 . [19]Fake 'DHL Delivery Report' themed emails lead to 
malware 



19 . [20]Cybercriminals impersonate Bank of America 
(BofA), serve malware 

20 . [21]How fraudulent blackhat SEO monetizers apply 
Quality Assurance (QA) to their DIY doorway generators 

21 . [22]Managed 'Russian ransomware' as a service spotted 
in the wild 

This post has been reproduced from [23]Dancho 
Danchev's biog. Follow him [24]on Twitter 

1 . httD://feeds2.feedburner.com/WebrootThreatBlo o 

2. httD://blo a .webroot.com/2013/04/01/di v-i ava-based-rat- 
remote-access-tool-sDotted-in-the-wild/ 

3. httD://blo a .webroot.com/2013/04/02/sDamvertised-re- 
chan aeloa -as-oromised-themed-emails-lead-to-malware/ 

4. httD://blo a .webroot.com/2013/04/03/cvbercrime-friendl v- 
service-offers-access-to-tens-of-thousands-of-com o 

romised-accounts/ 

5. 

httD://blo a .webroot.com/2013/04/04/madimahdif1ashback- 

os-x-connected-malware-soreadin a -throu a h-sk voe/ 

6. httD://blo a .webroot.com/2013/04/05/cvbercriminals- 
sellin a -valid-business-cards-data-of-comoanv-executives 

-across-multi ole-verticals/ 

7. httD://blo a .webroot.com/2013/04/08/a-Deek-inside-the- 
zerokitOkitrin o O-bundle-bootkit/ 






































8. httD://blo a .webroot.com/2013/04/09/div-sk v De-rin a- 
f]ooder-offered-for-sale/ 

9. httD://blo a .webroot.conn/2013/04/10/sDamvertised-vour- 
order-for-helicoDter-for-the-weekend-themed-emails-l 

ead-to-malware/ 

10 . 

httD://blo a .webroot.com/2013/04/ll/a-Deek-inside-a-life- 

c vcle-aware-under a round-market-ad-for-a-private 

ikeyjogger/ 

11 . 

http://blo a .webroot.eom/2013/04/12/american-airlines-vou- 

can-download-vour-ticket-themed-emails-lead-to 

-malware/ 

12. http://blo a .webroot.eom/2013/04/15/cvbercriminals- 
offer-spam-friendlv-smtp-servers-for-rent/ 

13. http://blo a .webroot.eom/2013/04/16/how-mobile- 
s pammers-verifv-the-validitv-of-harvested-phone-numbers- 
par 

t-two/ 

14. http://blo a .webroot.eom/2013/04/17/a-peek-inside-a- 
cracked-commerciallv-available-rat-remote-access-tool/ 

15. http://blo a .webroot.eom/2013/04/18/div-russian-mobile- 
number-harvestin g -tool-spotted-in-the-wild/ 



















































16. httD://blo a .webroot.com/2013/04/19/div-siD-based-tdos- 
toolnumber-validitv-checker-offered-for-sale/ 

17. httD://blo a .webroot.com/2013/04/23/caDtcha-solvin a- 
russian-email-account-re a istration-tool-helDS-facilita 

te-cvbercrime/ 

18. httD://blo a .webroot.com/2013/04/24/historical-osint-the- 
boston-marathon-explosion-and-fertilizer-plant-ex 

pipsion-in-texas-themed-mal ware-campai gns/ 

19. http://blg a .webrggt.cgm/2013/04/25/fake-dhl-deliver v- 
re pprt-themed-emails-lead-tp-malware/ 

20. http://bla a .webraot.eom/2013/04/26/cvbercriminals- 
impersonate-bank-of-america-bofa-serve-malware/ 

21 . 

http://blo a .webroot.eom/2013/04/29/how-fraudulent- 

blackhat-seo-monetizers-a pplv-a ualitv-assurance-aa-to 

-their-div-doorwa v-g enerators/ 

22. http://blo a .webroot.eom/2013/04/30/mana a ed-russian- 
ransomware-as-a-service-spotted-in-the-wild/ 

23. http://ddanchev.blo as pot.com/ 

24. http://twitter.com/danchodanchev 
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Fake 'Facebook Profile Spy Application' Campaign 
Spreading Across Facebook (2013-05-24 18:58) 

Over the last couple of days, multi-tasking cybercriminals 
have been spreading a "Facebook Profile Spy" campaign 
across Facebook, enticing users into installing a rogue 
Chrome extension, next to monetizing the campaign 
through 

an unethical pseudo-mobile marketing agency, known as 
Prize rally. 

Sample redirection chain: 

hxxps://www. facebook. com/pages/Hajmcl rnjr/17268315956 
1584?sk=app 

_190322544333196 

&9DyG45 

-> 

hxxp://horribleapps. com 
-> 

hxxp://terribleapps. com 
-> 

hxxps://chrome. google, com/webstore/detai- 
l/oacggeibdmjpmecojanlbbngabki 


ncif 



hxxp://www. picappHcation. com/profile/last. html?l 
-> 

hxxp://fJightdealsrome.net/?subid=4563 -> 
hxxp://lp.prizerally com 
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Domain names reconnaissance: 

horribleapps.com - 66.150.99.179 (picovator.com) - 

Email: Masterjxl2(g)gmail.com 

terribleapps.com -66.150.99.21 (puzzledapps.com; 
testyapps.com) - Email: Masterjxl2@gmail.com 

picapplication.com - 66.150.99.179 - Email: 
joshuarhodesl989@gmail.com 

flightdealsrome.net - 174.140.17.100 

prizerally.com - 46.19.35.207 - Email: 
domains@mypengomobile.com 

We also got the following fraudulent and 
typosqutted domains known to have responded to 
the same IP 

(174.140.17.100) in the past: 

0418490819. com 
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2020testing.net 

aaacomtests.net 

aaacontests.net 

aaamathtests.net 

accordput.net 

aceonlinetest. com 

activetester. com 

adjustfit.net 

adjustpair.net 

adjusttie.net 

adsiim.com 

adventu retester, com 

aidoniinesurveys. com 

airpianetester. com 

aiignhang.net 

aiignmake.net 

aiiketester.com 

aiiosurvey.net 

amatuercumshots. org 



analyzequiz. net 
animalplanet net 
aninnereak.tv 

answeringonlinesurveys. com 

apptitudeonlinetest. com 

arcosurveynet 

attuneeven.net 

attunefix.net 

attunehang.net 

attunemake.net 

attunepair.net 

attunetune.net 

avizoon.com 

azdes.org 

bajarvideo.com 

balanceattune.net 

balancecollate.net 

balanceconnect. net 

balancecounteract. net 


balanceeven-steven.net 



balancefocus. net 


balancelevel.net 

balanceneutralize. net 

balancenullify net 

balanceoverhaul.net 

balancerectify.net 

balancesymmetry.net 

balancetighten.net 

bargainoniinetest. com 

bensurvey.net 
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bestgetpaidoniinesurveys. com 
bestoniinesurveysformoney. com 
bestoniinesurveysforpay. com 
bestoniinesurveyswebsite. com 
bestprizedra w. com 
bestratedoniinesurveys. com 
bestwebquiz. net 
bigpaidoniinesurveys. com 


bitsoniinetest. com 



blackgaygalleries. com 

bletsurvey.net 

blosurveynet 

bobmarlycom 

bollywoodringtonessite. com 

bret.com 

bringgrind.net 

bringtie.net 

buiibabear.com 

buiidoniinesurveys. com 

canceifix.net 

cansafeiist.com 

carquestionswebsite. com 

censurvey.net 

chaiiengequizoniine. net 

cheaponiinetests. com 

china bestiink. com 

ciickbusinessinfo. net 

coinsurvey.net 

coiiegeoniinetests. com 



commercenetweb. com 


compeitionsto win prizes, com 
cooifreequizzes. com 
cooponmom.net 
countest.net 
couponso.net 
crazyoniinequizzes. com 
creativeiinkusa. com 
cuteoniinequizzes. com 
descargapeiicuias. com 
dfedex.com 
didiwinaprize. net 
discountoniinetests. com 
dogquizzes.net 
dotnetiink.com 
do wnioa dsm o vies, com 
easyoniinetesting. com 
eicosurvey.net 
empioyersoniinetest. com 
engiishoniinetest. com 



etestonUnetesting. com 
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examxonlinetesting. com 
exposurvey.net 
farbestsurvey net 
fastrackonlinesurveys. com 
fastsurveyworld. net 
fbso.com 

findonlinesurveysforcash. com 
fletsurvey.net 
fnnyvideo.com 
fontest.net 

free-live-xxx-cams. com 
friendsonlinequiz. com 
fuck-me-now. com 
funonlinequizsurvey. com 
funonlinequizteen. com 
funonlinequizzesforkids. com 

gay-sex-pics-porn-pictures-gay-sex-porn-gay-sex-pics- 

gay.com 



generalonlinequiz. com 

generatest.net 

geocites.com 

getpageranks. com 

googledark. com 

googlemx.com 

googletraductor com 

googleunclesam. com 

googllemaps. com 

gooyoutube.com 

granny.ca 

gsd.com 

gyoutube.com 

hack-facebook. com 

hka tb. adsidns. org 

hohotmail.com 

hoider.me 

hoiidaytra veipassport.net 
hotmaiim.com 


hotmauii.com 



hpforsale.org 

internet-questions, net 

ioutube.com 
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kogregate.com 
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ietsurvey.net 

ioiita.org 
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poiiist.net 



pollower.net 

poUquestionsitewhdh. com 
pollustry.net 
pollutan.net 
poutsurvey.net 
question-answer-website, com 
questionansweringwebsites.com 
questionanswerstudy. net 
questionexams.net 
questionforthequiz. com 
questionnairesampiesurvey. com 
question person aiity quiz, net 
questionpoiiguide. net 
questionquizsite. net 
questionquizworid. net 
questionsforasurvey. com 
questionsiteseii. com 
questionssurveys. com 
questionsurvey friend, com 
quicksurveydirect. net 



quizbull.net 

quizbulla.net 

quizbuiiah.net 

quizbuiien.net 
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quizbuiies.net 

quizbust.net 

quizbustav.net 
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quizingies.net 
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quizzeri.net 
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quizzeris.net 

quizzerish.net 
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rentube.com 
rep.ppmate.com 
repeatest.net 
ruralaresdubai. net. in 
sappygiris.com 
scensurvey.net 
securitytube. com 
seehomevids. com 
stratest.net 
sumotorrents. com 
sunsurvey.net 
superquestionquiz. net 
supersurveygroup. net 
supersurveysite. net 
survey-masters, net 
2surveyabisoute. net 
surveyaboutyou. net 
surveyacout. net 



5urveyalot.net 

surveyanyone. net 

surveyask.net 

surveyassistant. net 

surveylatest. net 
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susan.com 
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testa ustra Ha. com 
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testige.net 

testigious.net 

testingacacdemy.net 

testingadvantage.net 
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test in gad words, net 

testingagainagain. net 

testingame.net 

testion.net 

testivate.net 

testseif.net 

tetsurvey.net 

thegreatanswer. com 

thenamequiz. net 

thequestionpoii. net 

thesurveyresearch, net 

thosurvey.net 

tmobiiw.com 


toutsurvey.net 



toyotest.net 

tsurvey.net 

tube99.conn 

tunehang.net 

tunelevel.net 

tunemake.net 

tuneoppose.net 

tuneparity.net 

tuneservice.net 

tuneset.net 

tunesteady.net 

tunetie.net 

twittee.com 

unionbank.org 

unsurvey.net 

update.ppmate.com 

usagrea tiink. com 

va ca tionceiiuiar. net 

vintagetownbazar. co. 

watchyoutube. com 



web wordquiz. net 

weighfit.net 

weighmake.net 

weighmend.net 

weighparity.net 

weighpoiish.net 
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weightighten. net 
wesurvey.net 
wickapidea. com 
wickepidia.com 
woridcityoniine. com 
wuizforcash. com 
www-yuotube. com 
WWW. ammoneta. com 
WWW. downioadsmovies. com 
WWW. foxchannei. com 
WWW. hack-facebook. com 
www.securitytube. com 


WWW. tmobiiw. com 



i/i/i/i/iv. windycitywatchdog. com 

www.youtrube. com 

www.youtubemobile. com 

www.youtuve. com 

wwwquestionnairesurveys. com 

wwwtoutube. com 

yahoomailk. com 

yaotube.com 

yautube.com 

yootube.com 

yotobe.com 

youbube.com 

yo urh om esurvey. net 

yourownsurvey. net 

yoursurveysite. net 

yourtopsite. com 

youtsurvey.net 

youtubemobile. com 

youtubi.com 

youtuhe.com 



youtuve.com 

ypoutube.com 

yuvuty.com 

zerosurvey.net 
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As well as the following malicious MD5s phoning 
back to the same IP in the past: 

[1 ]MD5: e315a877c58773ce82cc32fcl92bclfa5 

[2 ]MD5: 1 Cd4c2a2b2143689bl 85e064dc6c331 c 

[3]MD5: 26c5102e75daf3d3c696ad719bc55ad4 

Prizerally's scheme is fairly simple: 

Service costs £3 per question piayed and a £4,50 sign up 
fee appiies. You wiii receive an additionai £1.50 charge 
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for a reminder message tomorrow. Winners wiii be 
contacted every first businessweek of the month, aii 
question entries must be received before 00.00 on the iast 
day of the month. This is not a subscription service. 
Minimum age 

18+ with biii payer's permission. One prize avaiiabie per 
service per month. Customer service: caii 0800 408 0796, 


email uk@prizerally.com or visit the website: 
www.prizerally.com. Play the game on your mobile. The 
winner will be 

selected among all participants in the first business week of 
every month. When participating you acknowledge that 

you agree to the terms & conditions, you are a resident of 
the UK, 18 years or older and authorized account holder 
and/or that you have the consent of the accountholder. £3 
per question. This service is a product of Mypengo Mobile. 

Free entry method: send an email with your name, 
phonenumber, and prize you want to win to 
info@prizerally. com. 

Prizerally is not affiliated with, sponsored by or endorsed by 
any of the listed products or retailers. Trademarks, 

service marks, logos (including, without limitation, the 
individual names of products and retailers) are the property 

of their respective owners. When you see one of our 
Products on the Internet, you can start receiving our content 

via SMS (i.e. text message). You can enter your mobile 
telephone number on the landing pages via the Internet 

and confirm your registration. You hereby agree to the 
Terms and Conditions. Prizerally charges you £3,00 per 

question played. Each sent answer will be followed by a new 
question. If you stop sending answers you will not 

receive any more messages. Once stopped you will receive 
one extra £1,50 reminder message. To stop this message. 



simply text STOP to 85150. From this moment on you have 
to decide on your own if you will continue to play for 

more points. By answering a question, you will receive a 
new messages containing a new puzzel/question also 

chargeble at £ 1,50 per text message received. When you 
stop sending answers the game will end. 02 and Orange 

customers can only spend the maximum amount off 30.00 
a day. This spending cap applies for one day, so the next 

day these customers are eligble to play again. The 
maximum amount you can spend on our Prizerally service is 
£ 99.00. 

Facebook has been notified. The rogue Chrome extension 
has already been removed. 

This post has been reproduced from [4]Dancho 
Danchev's biog. Follow him [5]on Twitter. 

1 . 

httDs://www.virustotal.com/en/file/0329bd90deladl608bfe 

91210b66929caeb99a0574bbl008123b95c7blb0e756/ana 

[ys 

\sl 

2 . 

httDs://www. virustotal.com/en/file/35c970ae66dde7688e55 

a87860c8bc60d8ab3f502437448e0ea60dfcl9659499/anal 

ys 






3. 

httDs://www. virustotal.com/en/file/58337863b283dfcc03fef 

8614a821b2b63fb018cbl4f2353e97da4d42110b6dl/anal v 

s 

4. htto://ddanchev.blo as oot.com/ 

5. htto://twitter.com/danchodanchev 
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Fake 'Facebook Profile Spy Application' Campaign 
Spreading Across Facebook (2013-05-24 18:58) 

Over the last couple of days, multi-tasking cybercriminals 
have been spreading a "Facebook Profile Spy" campaign 
across Facebook, enticing users into installing a rogue 
Chrome extension, next to monetizing the campaign 
through 

an unethical pseudo-mobile marketing agency, known as 
Prize rally. 

Sample redirection chain: 

hxxps://www. facebook. com/pages/Hajmcl rnjr/17268315956 
1584?sk=app 

190322544333196 


&9DyG45 







hxxp://horribleapps. com 


-> 

hxxp://terribleapps. com 
-> 

hxxps://chrome. google, com/webstore/detai- 
l/oacggeibdmjpmecojanlbbngabki 
ncif 
-> 

hxxp://www. picappHcation. com/profile/last html?l 
-> 

hxxp://fJightdealsrome.net/?subid=4563 -> 
hxxp://lp.prizerally com 
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Domain names reconnaissance: 

horribfeapps.com - 66.150.99.179 (picovator.com) - 

Email: Masterjxl2(a)gmail.com 

terribleapps.com -66.150.99.21 (puzzledapps.com; 
testyapps.com) - Email: Masterjxl2@gmail.com 

picapplication.com - 66.150.99.179 - Email: 
joshuarhodesl989@gmail.com 


flightdealsrome.net - 174.140.17.100 

prizerally.com - 46.19.35.207 - Email: 
domains(a)mypengomobi le.com 

We also got the following fraudulent and 
typosqutted domains known to have responded to 
the same IP 

(174.140.17.100) in the past: 

0418490819. com 
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2020testing.net 

aaacomtests.net 

aaacontests.net 

aaamathtests.net 

accordput.net 

aceonlinetest. com 

activetester. com 

adjustfit.net 

adjustpair.net 

adjusttie.net 


adsiim.com 



a dventu retester, com 


aidonlinesurveys. com 
a irp la net ester, com 
alignhang.net 
alignmake.net 
aliketester.com 
allosurvey.net 
amatuercumshots. org 
analyzequiz. net 
animalplanet. net 
animereak.tv 

answeringonlinesurveys. com 

apptitudeonlinetest. com 

arcosurvey.net 

attuneeven.net 

attunefix.net 

attunehang.net 

attunemake.net 

attunepair.net 


attunetune.net 



avizoon.com 


azdes.org 
bajarvideo.com 
balanceattune.net 
balancecollate.net 
balanceconnect. net 
balancecounteract. net 
balanceeven-steven.net 
balancefocus. net 
balancelevel.net 
balanceneutralize. net 
balancenullify. net 
balanceoverhaul.net 
balancerectify.net 
baiancesymmetry.net 
baiancetighten.net 
bargainoniinetest. com 
bensurvey.net 
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bestgetpaidoniinesurveys. com 



bestonlinesurveysformoney. com 

bestonlinesurveysforpay com 

bestonUnesurveyswebsite. com 

bestprizedra w. com 

bestratedonUnesurveys. com 

bestwebquiz. net 

bigpaidonlinesurveys. com 

bitsonUnetest. com 

blackgaygalleries. com 

bletsurveynet 

blosurveynet 

bobmarlycom 

boUywoodringtonessite. com 

bret.com 

bringgrind.net 

bringtie.net 

buiibabear.com 

buiidoniinesurveys. com 

canceifix.net 


cansafeiist.com 



carquestionswebsite. com 
censurvey.net 
challengequizonline. net 
cheaponlinetests. com 
china bestlink. com 
clickbusinessinfo. net 
coinsurvey.net 
coiiegeoniinetests. com 
commercenetweb. com 
compeitionsto win prizes, com 
cooifreequizzes. com 
cooponmom.net 
countest.net 
couponso.net 
crazyoniinequizzes. com 
creativeiinkusa. com 
cuteoniinequizzes. com 
descargapeiicuias. com 
dfedex.com 
didiwinaprize. net 



discountonUnetests. com 


dogquizzes.net 
dotnetlink.com 
downloadsmovies. com 
easyonlinetesting. com 
eicosurvey.net 
empioyersoniinetest. com 
engiishoniinetest. com 
etestoniinetesting. com 
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examxoniinetesting. com 
exposurvey.net 
farbestsurvey. net 
fastrackoniinesurveys. com 
fastsurveyworid. net 
fbso.com 

findoniinesurveysforcash. com 

fletsurvey.net 

fnnyvideo.com 


fontest.net 



free-live-xxx-cams. com 


friendsonlinequiz. com 
fuck-me-now. com 
funonlinequizsurvey com 
funonlinequizteen. com 
funonlinequizzesforkids. com 

gay-sex-pics-porn-pictures-gay-sex-porn-gay-sex-pics- 
gay com 

generalonlinequiz. com 
generatest.net 
geocites.com 
getpageranks. com 
googledark. com 
googlemx.com 
googletraductor. com 
googleunclesam. com 
googllemaps. com 
gooyoutube.com 
grannyca 
gsd.com 



gyoutube.com 
hack-facebook. com 
hka tb. adsldns. org 
hohotmail.com 
holder, me 

holidaytra velpassport.net 

hotmailm.com 

hotmauil.com 

hpforsale.org 

internet-questions, net 

ioutube.com 

jkert.com 

Joinsurvey.net 

kemert.com 

kerosurvey.net 

kogregate.com 

kurosurvey.net 

landminesurvey. net 

latinswomen. com 

letsurvey.net 



lolita.org 
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loveonlinequiz. com 

marilyn.com 

mediaiinksite. com 

mensurvey.net 

mfacebook.com 

miniciip.ci 

minsurvey.net 

mobiasbank. com 

monicatubes. com 

movietickits. com 

msdip.com 

mycosurvey. net 

myford.com 

notyoutube.com 

ohotmaii.com 

oijwefcom 

oniinemedsforaii. net. 

oniinequizze. com 



outsurvey.net 

pharmaonline.net. in 

pina.com 

poiiings.net 

poiiinois.net 

poiiinoise.net 

poiiison.net 

poiiist.net 

poiiower.net 

poiiquestionsitewhdh. com 

poiiustry.net 

poiiutan.net 

poutsurvey.net 

question-answer-website, com 

questionansweringwebsites.com 

questionanswerstudy. net 

questionexams.net 

questionforthequiz. com 

questionnairesampiesurvey. com 

question person aiity quiz, net 



questionpollguide. net 
questionquizsite. net 
questionquizworld. net 
questionsforasurvey. conn 
questionsitesell. com 
questionssurveys. com 
questionsurveyfriend. com 
quicksurveydirect. net 
quizbull.net 
quizbulla.net 
quizbuiiah.net 



quizbullen.net 
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quizbulles.net 

quizbust.net 

quizbustav.net 

quizbustin.net 

quizbustie.net 

quizbustom.net 

quizbustry.net 

quizin.net 

quizingies.net 

quizingiy.net 

quizquestionsite. net 

quizzeri.net 

quizzeriai.net 

quizzeris.net 

quizzerish.net 

redirecto fferpage. com 

reinsurvey.net 



rentube.com 


rep.ppmate.com 
repeatest.net 
ruralaresdubai. net. in 
sappygirls.com 
scensurvey.net 
securitytube. com 
seehomevids. com 
stratest.net 
sumotorrents. com 
sunsurvey.net 
superquestionquiz. net 
supersurveygroup. net 
supersurveysite. net 
survey-masters, net 
2surveyabisoute. net 
surveyaboutyou. net 
surveyacout. net 
surveyaiot.net 
surveyanyone. net 



surveyask.net 

surveyassistant. net 

survey I a test, net 

surveyors ter. net 

susan.com 

testa bled, net 

testables.net 

testabling.net 

testand.net 

testants.net 

testatus.net 

testaura.net 

testa ustra Ha. com 
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testeradjective. com 

testeradvice. com 

testeraid.com 

testic.net 

testical.net 

testige.net 



testigious.net 

test in ga ca cdemy net 

testingadvantage.net 

test in ga dvice. net 

test in gad words, net 

testingagainagain. net 

testingame.net 

testion.net 

testivate.net 

testseif.net 

tetsurvey.net 

thegreata ns wer. com 

thenamequiz. net 

thequestionpoii. net 

thesurveyresearch, net 

thosurvey.net 

tmobiiw.com 

toutsurvey.net 

toyotest.net 

tsurvey.net 



tube99.com 


tunehang.net 

tunelevel.net 

tunemake.net 

tuneoppose.net 

tuneparity.net 

tuneservice.net 

tuneset.net 

tunesteady.net 

tunetie.net 

twittee.com 

unionbank.org 

unsurvey.net 

update.ppmate.com 

usagrea tiink. com 

va ca tionceiiuiar. net 

vintagetownbazar. co. 

watchyoutube. com 

web wordquiz. net 

weighfit.net 



weighmake.net 

weighmend.net 

weighparity.net 

weighpoiish.net 
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weightighten. net 
wesurvey.net 
wickapidea. com 
wickepidia.com 
woridcityoniine. com 
wuizforcash. com 
www-yuotube. com 
WWW. ammoneta. com 
WWW. downioadsmovies. com 
WWW. foxchannei. com 
WWW. hack-facebook. com 
www.securitytube. com 
WWW. tmobiiw. com 
WWW. windycitywatchdog. com 
www.youtrube. com 



www.youtubemobile. com 

www.youtuve. com 

wwwquestionnairesurveys. com 

wwwtoutube. com 

yahoomailk. com 

yaotube.com 

yautube.com 

yootube.com 

yotobe.com 

youbube.com 

yo urh om esurvey. net 

youro wnsurvey. net 

yoursurveysite. net 

yourtopsite.com 

youtsurvey.net 

youtubemobile. com 

youtubi.com 

youtuhe.com 

youtuve.com 

ypoutube.com 



yuvutycom 

zerosurveynet 

167 






As well as the following malicious MD5s phoning 
back to the same IP in the past: 

[1 ]MD5: e315a877c58773ce82cc32fcl92bdfa5 

[2 ]MD5: 1 Cd4c2a2b2143689bl 85e064dc6c331 c 

[3]MD5: 26c5102e75daf3d3c696ad719bc55ad4 

Prizerally's scheme is fairly simple: 

Service costs £3 per question piayed and a £4,50 sign up 
fee appiies. You wiii receive an additionai £1.50 charge 
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for a reminder message tomorrow. Winners wiii be 
contacted every first businessweek of the month, aii 
question entries must be received before 00.00 on the iast 
day of the month. This is not a subscription service. 
Minimum age 

18+ with biii payer's permission. One prize avaiiabie per 
service per month. Customer service: caii 0800 408 0796, 

emaii uk@prizeraiiy.com or visit the website: 
www.prizeraiiy.com. Piay the game on your mobiie. The 
winner wiii be 


selected among all participants In the first business week of 
every month. When participating you acknowledge that 

you agree to the terms & conditions, you are a resident of 
the UK, 18 years or older and authorized account holder 
and/or that you have the consent of the accountholder £3 
per question. This service is a product of Mypengo Mobile. 

Free entry method: send an email with your name, 
phonenumber, and prize you want to win to 
info(g)prizerally. com. 

Prizerally Is not affiliated with, sponsored by or endorsed by 
any of the listed products or retailers. Trademarks, 

service marks, logos (including, without limitation, the 
individual names of products and retailers) are the property 

of their respective owners. When you see one of our 
Products on the Internet, you can start receiving our content 

via SMS (i.e. text message). You can enter your mobile 
telephone number on the landing pages via the Internet 

and confirm your registration. You hereby agree to the 
Terms and Conditions. Prizerally charges you £3,00 per 

question played. Each sent answer will be followed by a new 
question, if you stop sending answers you will not 

receive any more messages. Once stopped you will receive 
one extra £1,50 reminder message. To stop this message, 

simply text STOP to 85150. From this moment on you have 
to decide on your own if you will continue to play for 



more points. By answering a question, you wiii receive a 
new messages containing a new puzzei/question aiso 

chargebie at £ 1,50 per text message received. When you 
stop sending answers the game wiii end. 02 and Orange 

customers can oniy spend the maximum amount off 30.00 
a day. This spending cap appiies for one day, so the next 

day these customers are eiigbie to piay again. The 
maximum amount you can spend on our Prizeraiiy service is 
£ 99.00. 

Facebook has been notified. The rogue Chrome extension 
has already been removed. 

Updates will be posted as soon as new developments take 
place. 

1 . 

httDs://www.virustotal.com/en/file/0329bd90deladl608bfe 

9121Qb66929caeb99aQ574bblQQ8123b95c7blbQe756/ana 

iy^ 

2 . 

httDs://www. virustotal.com/en/file/35c970ae66dde7688e55 

a8786Qc8bc6Qd8ab3f5Q2437448eQea6Qdfcl9659499/anal 

ys 

3. 

httDs://www. virustotal.com/en/file/58337863b283dfcc03fef 

8614a821b2b63fb018cbl4f2353e97da4d42110b6dl/anal v 


s 
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A Peek Inside the Russian Underground Market for 
Fake Documents/IDs/Passports (2013-05-25 18:52) 

[1] Fake IDs/fake passports have always been a hot 

[ 2 ] commodity within the cybercrime ecosystem. 

Thanks to their general availability and affordable prices - 
naturally based on the quality that a potential cybercrimi- 

nal/fraudster is seeking - the vendors behind them continue 
undermining the trust chain that society/market thrives 

on, by empowering cybercriminals and fugitives with new 
IDs to be later on used in related fraudulent activities. 

In this post, I'll sample fraudulent activity on the Russian 
underground marketplace, feature exclusive screen- 

shots of fake passports currently offered for sale, and 
discuss how relatively low profile cybercriminals have been 

literally generating fake (Russian) passports for years, 
primarily relying on DIY passport/stamp generating tools. 

Sample screenshots of the inventory of available 
fake passports for multiple countries: 
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Affected countries include: Russia, Belarus, Canada, 
Germany, Denmark, Finland, Israel, Netherlands (Holland), 

Norway, Romania, United Kingdom, United States, Australia, 
Ukraine. The prices vary between $20-30, and according 

to the vendors, use real people's data/photos etc. 

It's also worth emphasizing on the fact that, of all the 
countries, Russia's underground marketplace for fake 

documents is perhaps the most vibrant one. Next to high- 
quality fake documments/IDs/passports, they're naturally 

the cheap alternatives, which Russian fraudsters have been 
literally generating for years, relying on DIY (do-it-yourself) 
tools/stamp editors like these: 
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Thanks to the demand for such kind of underground market 
assets, I'm certain that that market would continue 

flourishing, and would eventually reach a stage where the 
vendors would start sacrificing OPSEC (Operational 

Security) in an attempt to reach customers from virtually 
every country. With localization on demand services 

proliferating, next to the ubiquitous for the cybercrime 
ecosystem, affiliate based revenue-sharing models, vendors 

of fake documents/IDs/passports, have virtually everything 
that they need at their disposal, if they were to start 

targeting the international audience. 

This post has been reproduced from [3]Dancho 
Danchev's biog. Follow him [4]on Twitter 

1. httD://www.team- 

c vmru.com/Readi n o Room/White Da Ders/2010/FakelD_in_the 
Under g round Econom y.odf 

2. httD://ddanchev.blo as Dot.com/2011/10/exDosin a -market- 
for-stolen-credit-cards.html 

3. httD://ddanchev.blo as DOt.com/ 

4. httD://twitter.com/danchodanchev 
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A Peek Inside the Russian Underground Market for 
Fake Documents/IDs/Passports (2013-05-25 18:52) 
















[1] Fake IDs/fake passports have always been a hot 

[ 2 ] commodity within the cybercrime ecosystem. 

Thanks to their general availability and affordable prices - 
naturally based on the quality that a potential cybercrimi- 

nal/fraudster is seeking - the vendors behind them continue 
undermining the trust chain that society/market thrives 

on, by empowering cybercriminals and fugitives with new 
IDs to be later on used in related fraudulent activities. 

In this post, I'll sample fraudulent activity on the Russian 
underground marketplace, feature exclusive screen- 

shots of fake passports currently offered for sale, and 
discuss how relatively low profile cybercriminals have been 

literally generating fake (Russian) passports for years, 
primarily relying on DIY passport/stamp generating tools. 

Sample screenshots of the inventory of available 
fake passports for multiple countries: 
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Affected countries include: Russia, Belarus, Canada, 
Germany, Denmark, Finland, Israel, Netherlands (Holland), 

Norway, Romania, United Kingdom, United States, Australia, 
Ukraine. The prices vary between $20-30, and according 

to the vendors, use real people's data/photos etc. 

It's also worth emphasizing on the fact that, of all the 
countries, Russia's underground marketplace for fake 

documents is perhaps the most vibrant one. Next to high- 
quality fake documments/IDs/passports, they're naturally 

the cheap alternatives, which Russian fraudsters have been 
literally generating for years, relying on DIY (do-it-yourself) 
tools/stamp editors like these: 
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Thanks to the demand for such kind of underground market 
assets. I'm certain that that market would continue flour¬ 
ishing, and would eventually reach a stage where the 
vendors would start sacrificing OPSEC (Operational 
Security) 


in an attempt to reach customers from virtually every 
country. With localization on demand services proliferating, 

next to the ubiquitous for the cybercrime ecosystem, 
affiliate based revenue-sharing models, vendors of fake doc¬ 
uments/IDs/passports, have virtually everything that they 
need at their disposal, if they were to start targeting the 

international audience. 

1. httD://www.team- 

c vmru.com/Readi n o Room/White Da Ders/2010/FakelD_in_the 
Under g round Econom y.odf 

2. httD://ddanchev.blo as DOt.com/2011/10/exDosin a -market- 
for-stolen-credit-cards.html 
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Summarizing Webroot's Threat Blog Posts for May 
(2013-06-04 15:24) 

The following is a brief summary of all of my posts at 

[1] Webroot's Threat Blog for May, 2013. You can 
subscribe to 

[2] Webroot's Threat Blog RSS Feed, or follow me on 
Twitter: 













01. [3]FedWire 'Your Wire Transfer' themed emails lead to 
malware 

02. [4]A peek inside a CVE-2013-0422 exploiting DIY 
malicious Java applet generating tool 

03. [5]New IRC/HTTP based DDoS bot wipes out competing 
malware 

04. [6]New version of DIY Google Dorks based mass website 
hacking tool spotted in the wild 

05. [7]Citibank 'Merchant Billing Statement' themed emails 
lead to malware 

06. [8]Fake Amazon 'Your Kindle E-Book Order' themed 
emails circulating in the wild, lead to client-side exploits 
and malware 

07. [9]Cybercriminals impersonate New York State's 
Department of Motor Vehicles (DMV), serve malware 

08. [lOJCybercriminals offer HTTP-based keylogger for sale, 
accept Bitcoin 

09. [llJNewly launched E-shop for hacked PCs charges 
based on malware 'executions' 

10. [12]New subscription-based 'stealth Bitcoin miner' 
spotted in the wild 

11. [13]Fake 'Free Media Player' distributed via rogue 
'Adobe Flash Player HD' advertisement 
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12. [14]Newly launched 'Magic Malware' spam campaign 
relies on bogus 'New MMS' messages 



13. [15]Commercial 'form grabbing' rootkit spotted in the 
wild 

14. [16]DIY malware cryptor as a Web service spotted in the 
wild - part two 

15. [17]CVs and sensitive info soliciting email campaign 
impersonates NATO 

16. [18]New commercially available DIY invisible Bitcoin 
miner spotted in the wild 

17. [19]Fake 'Export License/Payment Invoice' themed 
emails lead to malware 

18. [20]Compromised Indian government Web site leads to 
Black Hole Exploit Kit 

19. [21]Cybercriminals resume spamvertising Citibank 
'Merchant Billing Statement' themed emails, serve malware 

20. [22]Marijuana-themed DDoS for hire service spotted in 
the wild 

21. [23]Fake 'Vodafone U.K Images' themed malware 
serving spam campaign circulating in the wild 

This post has been reproduced from [24]Dancho 
Danchev's biog. Follow him [25]on Twitter 
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14. 

httD://blo a .webroot.com/2013/05/17/newlv-launched-ma a ic- 

malware-SDam-camDai a n-relies-on-bo a us-new-mms-m 

essa aes/ 

15. httD://blo a .webroot.com/2013/05/17/commercial-form- 
g rabbi n g -rootkit-sDotted-in-the-wi Id/ 

16. httD://blo g .webroot.com/2013/05/20/div-malware- 
crv otor-as-a-web-service-SDOtted-in-the-wild-oart-two/ 

17. httD://blo g .webroot.com/2013/05/21/cvs-and-sensitive- 
info-solicitin g -email-camoai g n-imoersonates-nato/ 

18. httD://blo g .webroot.com/2013/05/22/new-commerciall v- 
available-div-invisible-bitcoin-miner-sDotted-in-the- 

wild/ 

19. httD://blo g .webroot.com/2013/05/23/fake-exDort- 
license oa vment-in voice-themed-emails-lead-to-mal ware/ 
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21. httD://blo a .webroot.com/2013/05/29/cvbercriminals- 
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t-themed-emails-serve-malware/ 

22. httD://blo a .webroot.com/2013/05/30/mari i uana-themed- 
ddos-for-hire-service-SDOtted-in-the-wild/ 

23. 

httD://blo a .webroot.com/2013/05/31/fake-vodafone-u-k- 

ima a es-themed-malware-servin g-s Dam-camDai a n-circul 

atin g -in-the-wild/ 
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25. httD://twitter.com/danchodanchev 
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Malware-Serving "Who's Viewed Your Facebook 
Profile" Campaign Spreading Across Facebook 

(2013-06-10 15:07) 

A currently ongoing Facebook spreading malware-serving 
campaign, entices users into downloading and executing 

a malicious executable, pretending to be a " Who's Viewed 
Your Facebook Profile" extension. In reality though, the 
executable, part of a campaign that's been ongoing for 
several months, will steal private information from local 

browsers, will auto-start on Windows starup, and will 
attempt to infect all of the victim's friends across Facebook. 


























The executable, including several other related executables 
part of the campaign, are currently hosted on Google 

Code, and according to Google Code's statistics, one of the 
malicious files has already been downloaded 1,870,788 

times. Surprisingly, the Coode Project is called " Project 
Don't Download". Very interesting self-contradicting social 
engineering attempt. 

Let's dissect the campaign, list the domain's portfolio used 
in it, provide detection rates for the malicious exe¬ 
cutables, and connect the campaign to multiple other 
campaigns observed in the wild over the last couple of 
weeks. 

[ 1 ] 
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Sample redirection chain: 

hxxp://cnlz3. t/</?2959858 
-> 

hxxp://profilelo. 8c 1 .net/ 

-> 

hxxp://profileste. uni. me/?skuwjjsadsuquwhdas 


hxxps://proJect-dont-do wnload. googlecode. com/files/Profile 
%20View %20- %205v2.exe 


Subdomain reconnaissance: 

profilelo.8cl.net - 82.208.40.3 

profileste.uni.me - 198.23.52.98 

project-dont-download.googlecode.com - Email: 
mergimil4@live.com 

Detection rate for the malicious executable: [2]MD5: 
C5b2247a37a8d26063af55c6c975782d - detected by 
23 

out of 47 antivirus scanners as JS:Clicker-P [Trj]; 
RDN/Generic.dx!chs 

Once executed, the sample drops the following MD5s 
on the affected hosts: 

MD5: 3729796a618de670128e80bb750dba35 

MD5: bc5ea93000fd79cf3d874567068adfc5 

MD5: 3448d5a 74e86fdc88569df99dbcl 9c55 

MD5: C3c67c3df487390dfdfa4890832b8a46 

MD5: 161 fff31429fl fcd99a56208cf9d2b58 

MD5: C8dfbeb2e89a9557523b5a57619a9c44 

MD5: b83d2283066c68e8cc448c578ddl21 a a 
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MD5: 0e254726843ed308cal42333ea0c5d28 


MD5: Cbb6e03d0b08ba4a8eeacl467921b7dd 

MD5: a3ef72a0345a564bde3df2654f384a21 

MD5: 123c9d897b74548aa 6ce65b456a8b 732 

MD5:181 fOl 156f23d4e 732a414eaa2f6b870 

MD5: 74d4b4298bc6fe8871adl a a654d34 7c6 

Download statistics for the malicious executables 
hosted on Google Code: 

Profile Viewer - 5.exe - 1,870,788 downloads 

Profile Stalker - V.exe - 45983 downloads 

Profile View - 5v2.exe - 9496 downloads 

Profile Stalker - D.exe - 2 downloads 

Detection rates for the malicious executables hosted on 
Google Code: 

Profile Stalker - D.exe - [3]MD5: 

c9220176786fe074de210529570959c5 - detected by 3 
out of 47 antivirus scanners 

as Trojan.AVKill.30538; JS/TrojanClicker.Agent.NDL 

Profile Stalker - V.exe - [4]MD5: 

a6073378d764e3af4cb289cac91b3f97 - detected by 24 
out of 47 antivirus scanners 

as JS/TrojanClicker.Agent.NDL; Trojan.Win32.ClickerlBT 



Profile Viewer - 5.exe - [5]MD5: 

814837294bc34f288e31637bab955e6c - detected by 
24 out of 47 antivirus scanners 

as Troj/Agent-ABOE 

Samples phone back to the foMowind URLs/domains: 

hxxp://stats. app-data. net/installer. gif?action=started 
&browser=ie6 
&ver=l 
_26 
_153 

&bic=00A4 7304 7B09414 785A 7A54908970321 IE 
&app=30413 &appver=0 

&verifier=d3459d462f931bel0f76456d86fe24d-5 &srcid=0 
&subid=0 &zdata=0 &ff=0 &ch=0 &default=ie &os=XP32 
&admin=l &type=l &asw=0 

stats.app-data.net - 207.171.163.139 

app-static.crossrider.com - 69.16.175.10 

errors.app-data.net - 207.171.163.139 

Facebook and Google have been notified. 

This post has been reproduced from [6]Dancho 
Danchev's biog. Follow him [7]on Twitter. 


1 . 



httD://l .bp. blo as DOt.com/- 

lxZl ezC4rzQ/UbW86IHzcBI/AAAAAAAAFuQ/dm014sZ pxaa/s 
1600/Whos Viewed Your Facebook 

Profi I e Fa ke Ro a u e Exte n si o n. o n a 

2 . 

https://www.virustotal.com/en/file/7b5f495dbc987fl6clf33 

1141dd9dd62a8Q66503226d5bf457cbd5875515a6QQ/anal 

ys 
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isl 

3. 

https://www.virustotal.eom/en/file/5a2729550420e40836fd 

2f5e2bb42fe4b9d36dd3fbb0fl2fc05b829b5e295f80/anal vs 

is/1370862388/ 

4. 

https://www.virustotal.com/en/file/07ac717f288cdee6c5b6e 

f4eeda86f90892ef26fdllc7aacllea6401a7dcc2e6/anal vs 

is/1370862459/ 

5. 

https://www.virustotal.com/en/file/de7el3991bbbe84c6470 

C070d675cefflf07b3ff3c545ca53b33ebbcl790b9c9/anal vs 

is/1370862551/ 

6. http://ddanchev.blo as pot.com/ 

7. http://twitter.com/danchodanchev 
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Malware-Serving "Who's Viewed Your Facebook 
Profile" Campaign Spreading Across Facebook 

(2013-06-10 15:07) 

A currently ongoing Facebook spreading nnalware-serving 
campaign, entices users into downloading and executing 

a malicious executable, pretending to be a " Who's Viewed 
Your Facebook Profile" extension. In reality though, the 
executable, part of a campaign that's been ongoing for 
several months, will steal private information from local 

browsers, will auto-start on Windows starup, and will 
attempt to infect all of the victim's friends across Facebook. 

The executable, including several other related executables 
part of the campaign, are currently hosted on Google 

Code, and according to Google Code's statistics, one of the 
malicious files has already been downloaded 1,870,788 

times. Surprisingly, the Coode Project is called " Project 
Don't Download'. Very interesting self-contradicting social 
engineering attempt. 

Let's dissect the campaign, list the domain's portfolio used 
in it, provide detection rates for the malicious exe¬ 
cutables, and connect the campaign to multiple other 
campaigns observed in the wild over the last couple of 
weeks. 

[ 1 ] 
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Sample redirection chain: 

hxxp://cnlz3. tk/?2959858 
-> 

hxxp://profilelo. 8c 1 .net/ 

-> 

hxxp://profileste. uni. me/Tskuwjjsadsuquwhdas 
-> 

hxxps://project-dont-do wnload. googlecode. com/files/Profile 
%20View %20- %205v2.exe 

Subdomain reconnaissance: 

profilelo.8cl.net - 82.208.40.3 

profileste.uni.me - 198.23.52.98 

project-dont-download.googlecode.com - Email: 
mergimil4@live.com 

Detection rate for the malicious executable: [2]MD5: 
C5b2247a37a8d26063af55c6c975782d - detected by 
23 

out of 47 antivirus scanners as JS:Clicker-P [Trj]; 
RDN/Generic.dx!chs 

Once executed, the sample drops the following MD5s 
on the affected hosts: 


MD5: 3729796a618de670128e80bb750dba35 


MD5: bc5ea93000fd79cf3d874567068adfc5 
MD5: 3448d5a 74e86fdc88569df99dbcl 9c55 
MD5: C3c67c3df487390dfdfa4890832b8a46 
MD5: 161 fff31429fl fcd99a56208cf9d2b58 
MD5: C8dfbeb2e89a9557523b5a57619a9c44 
MD5: b83d2283066c68e8cc448c578ddl21 a a 
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MD5: 0e254726843ed308cal42333ea0c5d28 

MD5: Cbb6e03d0b08ba4a8eeacl467921b7dd 

MD5: a3ef72a0345a564bde3df2654f384a21 

MD5: 123c9d897b74548aa 6ce65b456a8b 732 

MD5:181 fOl 156f23d4e 732a414eaa2f6b870 

MD5: 74d4b4298bc6fe8871adl a a654d34 7c6 

Download statistics for the malicious executables 
hosted on Google Code: 

Profile Viewer - 5.exe - 1,870,788 downloads 

Profile Stalker - V.exe - 45983 downloads 

Profile View - 5v2.exe - 9496 downloads 


Profile Stalker - D.exe - 2 downloads 


Detection rates for the malicious executables hosted on 
Google Code: 

Profile Stalker - D.exe - [3]MD5: 

c9220176786fe074de210529570959c5 - detected by 3 
out of 47 antivirus scanners 

as Trojan.AVKill.30538; JS/TrojanClicker.Agent.NDL 

Profile Stalker - V.exe - [4]MD5: 

a6073378d764e3af4cb289cac91b3f97 - detected by 24 
out of 47 antivirus scanners 

asJS/TrojanClicker.Agent.NDL; Trojan.Win32.ClickerlBT 
Profile Viewer - 5.exe - [5]MD5: 

814837294bc34f288e31637bab955e6c - detected by 
24 out of 47 antivirus scanners 

as Troj/Agent-ABOE 

Samples phone back to the followind URLs/domains: 

hxxp://stats. app-data. net/installer. gif?action=started 
&browser=ie6 
&ver=l 
_26 
_153 

&bic=00A4 7304 7B09414 785A 7A54908970321 IE 
&app=30413 &appver=0 

&verifier=d3459d462f931bel0f76456d86fe24d-5 &srcid=0 
&subid=0 &zdata=0 &ff=0 &ch=0 &default=ie &os=XP32 
&admin=l &type=l &asw=0 



stats.app-data.net - 207.171.163.139 

app-static.crossrider.com - 69.16.175.10 

errors.app-data.net - 207.171.163.139 

Facebook and Google have been notified. 

Updates will be posted as soon as new developments take 
place. 

1 . 

htto://!. bo. blo as DOt.com/- 

lxZl ezC4rzQ/UbW86IHzcBI/AAAAAAAAFuQ/dm014sZ Dxaa/s 
1600/Whos Viewed Your Facebook 

Profi I e Fa ke Ro a u e Exte n si o n. o n a 

2 . 

httDs://www. virustotal.com/en/file/7b5f495dbc987fl6clf33 

1141dd9dd62a8066503226d5bf457cbd5875515a600/anal 

ys 
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3. 

httDs://www. virustotal.com/en/file/5a2 729550420e40836fd 

2f5e2bb42fe4b9d36dd3fbb0fl2fc05b829b5e295f80/anal vs 

is/1370862388/ 

4. 

httDs://www. virustotal.com/en/file/07ac717f288cdee6c5b6e 

f4eeda86f90892ef26fdllc7aacllea6401a7dcc2e6/anal vs 


















is/137Q862459/ 


5. 

httDs://www. virustotal.com/en/file/de7el3991bbbe84c6470 

C070d675cefflf07b3ff3c545ca53b33ebbcl790b9c9/anal vs 

is/137Q862551/ 
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'Anonymous' Group's DDoS Operation Titstorm 
(2013-06-12 20:01) 

With last months [l]'Anonymous' Group's DDoS Operation 
Titstorm campaign a clear success based on the real-time 

monitoring of the crowdsourcing-driven attack, it's time to 
take a brief retrospective on the tools and tactics used, 

and relate 

• Go through an analysis of 2009's failed [2]Operation 
Didgeridie DDoS campaign 

Why is Operation Titstorm an important one to profile? Not 
only because it worked compared to [3]Operation 

Didgeridie, but also, due to the fact that crowdsourcing 
driven (malicious culture of participation) DDoS attacks 
have proven themselves throughout the past several years, 
as an alternative to DDoS for hire attacks. 

- DIYICMPflooders 

- Web based multiple iFrame loaders to consume server CPU 






- Web based email bombing tools+predefined lists of emails 
belonging to government officials/employees 

Go through related posts on crowdsourcing DDoS 
attacks/malicious culture of participation: 

[4] Coordinated Russia vs Georgia cyber attack in progress 

[5] lranian opposition launches organized cyber attack 
against pro-Ahmadinejad sites 

[6] People's Information Warfare Concept 

[7] Electronic Jihad v3.0 - What Cyber Jihad Isn't 
239 

[SJElectronic Jihad's Targets List 

[9JThe DDoS Attack Against CNN.com 

[lOJChinese Hacktivists Waging People's Information 
Warfare Against CNN 

[llJThe Russia vs Georgia Cyber Attack 

[12JReal-Time OSINT vs Historical OSINT in Russia/Georgia 
Cyberattacks 

[13JPro-lsraeli (Pseudo) Cyber Warriors Want your 
Bandwidth 

[14Jlranian Opposition DDoS-es pro-Ahmadinejad Sites 

This post has been reproduced from [15]Dancho Danchev's 
blog. Follow him [16]on Twitter. 



1. httD://www.smh.com.au/technolo a v/technolo av- 

news/operation-titstorm-hackers-brin a -down- a overnment- 

website 


s-20100210-naku.html 

2. http://blo a s.zdnet.com/securit v/? D=4234 

3. http://blo a s.zdnet.com/securit v/? p=4234 

4. httP://blo a s.zdnet.com/securit v/? p = 1670 

5. http://blo a s.zdnet.com/securit v/? p = 3613 

6. http://ddanchev.blo as pot.eom/2007/10/peoples- 
information-warfare-concept.html 

7. http://ddanchev.blo as pot.eom/2007/ll/electronic- i ihad- 
v30-what-cvber- i ihad.html 

8. http://ddanchev.blo as pot.eom/2007/ll/electronic- i ihads- 
tar a ets-list.html 

9. http://ddanchev.blo as pot.eom/2008/04/ddos-attack- 
aa ainst-cnncom.html 

10. http://ddanchev.blo as pot.eom/2008/04/chinese- 
hacktivists-wa aina- peoples.html 

11. http://ddanchev.blo as pot.eom/2008/08/russia-vs- 
g eor g ia-cvber-attack.html 

12. http://ddanchev.blo as pot.eom/2008/10/real-time-osint- 
vs-historical-osint-in.html 


13. http://ddanchev.blo as pot.eom/2009/01/pro-israeli- 
pseudo-cvber-warriors-want.html 


























































14. httD://ddanchev.blo as DOt.com/2009/06/iranian- 
OD D05ition-ddo5-es-Dro.html 

15. httD://ddanchev.blo as DOt.com/ 

16. httD://twitter.com/danchodanchev 
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Bogus "Shocking Video" Content at Scribd Exposes 
Malware Monetization Scheme Through Parked Do¬ 
mains (2013-06-20 22:44) 

Bogus content populating Scribd, centralized 
malicious/typosquatted/parked domains/fraudulent 
infrastructure, 

combined with dozens of malware samples phoning back to 
this very same infrastructure to monetize the fraudulently 

generated traffic, it doesn't get any better than this, does it? 

URL redirection chain: 

hxxp://papa ver in/shocking/scr68237 
-> 

hxxp://dsnetservices.com/?epl=98EbooDNwLit- 

qQViA4tbYD7JMZAQuEUyV387pMY 

NBODms0CdAg9qAe5QvBgiaO6xW6jHWliYo5F8yDlvYx 

7Aa vd8wLHmZwHDIItbG4Eta- 
G VtiO3i9LlnzyK0 Yg Wm T2BOaEeaipahFIE8yB 7mC 









EBrQzXXtQBVUSIMGIEwTo9iUpOlyDUOM 
OmZKYzSpfEqGIAA g YN 

_ vvwAA4H8BAABAgFsLAADgPokxWVMm WUExNmhaQqA 
AAADw-> monetization through 

Google/MSN 
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Domain names reconnaissance: 

papaver.in - 69.43.161.176 - Email: 
belcanto@hushmail.com - Belcanto Investment Group 

dsnetservices.com - 208.73.211.152 - Email: 
aclmin@overseeclomainmanagement.com - Oversee Domain 
Manage¬ 
ment, LLC 
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The following related domains are also registered 
with the same email (belcanto@hushmail.com): 

4cheapsmoke. com 

777payday.com 

aboutforexincome. com 

agroindusfinance. com 

atvcrazycom 


bbbamericashop. com 
bizquipleasing. com 
cashforcrisis. com 
cashmores-caravans. com 
cashswim.com 
cheapbuyworld. com 
cheaptobbacco. com 
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cheapuc.com 
debtheadaches. com 
debtonatorct. com 
gcecenter.com 
goldforcashevents. com 
studioshc.com 
thestandardjournai. com 
tra veigurur. com 
atianticiimos. net 
betheigroup.net 
caravanningnews.net 
casting-escort, net 



cheapersales. net 
couriernetwork. net 
dragonarttattoo. net 
girlgeniusonline.net 
madameshairbeauty.net 
manchester-escort. net 
mygiriythings. net 
vocabheip.net 
cheapmodeiships. com 
financiaidebtfree. com 
mskoffice.com 
cashacii.com 

apoiioheaithinsurance. com 
nieportai.com 
piayfoupets. com 
wducation.com 
carwrappingtorino.net 
ere weaiexuitras. net 
diamondsmassage.net 
isieofwightferries. org 



migliojewellery org 
mind-quad.org 
moneyinfo. us 
2daysdietslim. com 
999cashlline. com 
capitalfinanceome. com 
capitlefinanceone. com 
captialfinanceone. com 
carehireinsurance. com 
cashadvaceusa. com 
cashadvancesupprt. com 
cashdayday com 
cashgftingxpress. com 
cashginie.com 
cashsoitionsuk. com 
cathayairiinescheapfare. com 
cheapaddidastops. com 
cheapaparmets. com 
244 

cheapariaoftguns. com 



cheapcheapcompters. com 
cheapdealsinmalta.com 
cheapdealsorlando. com 
cheapeestees. com 
cheapetickete. com 
cheapeygptholidays. com 
cheapfaresairlines. com 
cheap-flighs. com 
cheapflyithys. com 
cheapfreestylebmx. com 
cheapgoidje welery com 
cheaphnoels. com 
cheapholidaysites. com 
cheaphotellakegeorge. com 
cheap la wn bowls, com 
cheapmlalairsoft.com 
cheapmetalsticksdiablo. com 
cheapmpwers. com 
cheapmsells. com 
cheapotickeds. com 



cheapottickets. com 
cheapprotien. com 
cheapryobicordlesstools. com 
cheap-smell, com 
cheapsmellscom. com 
cheapsmes.com 
cheapsscents. com 
cheapstockers. com 
cheapsummerdresser. com 
cheaptents4sale. com 
cheaptertextbooks. com 
cheaptikesps. com 
cheaptra infairs, com 
cheaptstickts. com 
cheaptunictops. com 
cheapuksupplement com 
cheapversacedothes. com 
cheapviagra4u.com 
cliutterdiet. com 
cocheaptickets. com 



dailcheapreads. com 
dcashstudious. com 
debtinyou.com 
diabetesdietsplans. com 
dietaetreino. com 
dietcetresults. com 
dietcheff.com 
dietdessertndgos. com 
dietemaxbrasii. com 
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dietopan.com 

disco veryremortgages. com 
dmrbikescheap. com 
ferrry cheap, com 
financebiogspace.com 
firstieasingcompanyofindia. com 
firstresponcefi nance, com 
forexdirecotery. com 
forexfacdary. com 


foreximegadroid. com 
forextrading2u. com 
iitzcash.com 

insaneiycheapfights. com 
insurancenbanking. com 
inevenhotei.net 
isiamic-bank. us 
itaiyoniinebet. com 
m3motorsite. com 
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Out of the hundreds of domains known to have 
phoned back to the same IP in the past, the 
following are particularly interesting: 

motors.shop. ebay, com-cars-trucks-9722711 .Isvvo. net 

motors.shop.ebay.com-trucks-cars-922.lsvvo.net 

paupai.it 

pay pa. com. iogin.php. nahda-oniine. com 

paypai-secure. bengaiurban. com 

pay pa i. com-cgi. bin-webscr. cmd. iogin.submit- 
dispatch.5885d80a.l3c0dbl f8. e263663. 


d3fa- 



ee.38deaa3.0263663. login.submit. 3. webrocha.com 

pay pa i. com-cgi. bin-webscr. cmd. login.submit- 
dispatch.5885d80a.l3c0dbl f8. e263663. 

d3fa- 

ee. 38deaa3.0263663. login.submit. 4. webrocha. com 

pay pa i. com. update, service, cgi. bin. webscr. cmd. iogin- 
submit. modernstuf. com 

paypal. com. update.service, cgi. bin. webscr. cmd.login.submit, 
modernstuf. com 

paypal. com. us. cgi-bin. webscr-cmd. log in- 
run. dispatch.5885d80al3c0dbl f8e263663d3f 


aee8d43blbb6ca6ed6aee8d43bl6cv27bc. 

darealsmoothvee. com 

pay pa i. it. bengalurban. com 

Malicious MD5s known to have made HTTP 
(monetization) requests to the same IP 
(69.43.161.176): 

MD5: 7fa 7500cd90bd75ae52a4 7e5cl 8ba800 
MD5: 84b28cf33dee08531a6ece603ca92451 
MD5: f04ce06f5bl c89414cbl ff9219401a0e 


MD5: b2019625e4fd41 ca9d70b07f2038803e 



MD5: 6cfb98ac63b37c20529c43923bcb257c 


MD5: 04641dbafe3dl2b00a6b0cd84fba557f 
MD5: 024 76b31 f2cdc2b02b8efl eOO72d4eb2 
MD5: 0d5a69fa 766343f77630aa936bb64722 
MD5: 57f7520b3958031336822926ed0dl0b5 
MD5: 00d08bl 63a86008cbe3349e4 794ae3c0 
MD5: 8dd2223daladla555361c67794eb7e24 
MD5: 737309010740c2cl fba3d989233cl99c 
MD5: eb3043el3dd8bb34a4a8b75612fe401e 
MD5: eb4737492d9abcc4bd43bl2305c4b2fc 
MD5: 6257b9c3239db33a6c52a8ecb2135964 
MD5: 481366b6e867af0d47a6642e07d61fl0 
MD5: d58b7158b3bl fb072098dba98dd82ed5 
MD5: 9dd425b00b851 f6c63ae069abbbec037 
MD5: 6b0c0 7ce5ffl c3a4 7685f7be9793dce5 
MD5: b2b5e82177a3beb917f9ddla9a2cf91c 
MD5: 05070da990475ac3e039783df4e503bc 
MD5: C332dd499cdba9087d0c4632a76c59f0 
MD5: 0768764fbbeb84daa5641f099159ee7f 


MD5: 843b44c77e47680aa4b274eeelaad4e7 



MD5: 36f92066703690dfl cl 1570633c93e 73 


MD5: 0504b00c51b0d96afd3bea84a9a242a2 
MD5: 8b0de5eabc27d37fa97d2b998ffd841a 
MD5: 2944bl437dle8825585eea3737216776 
MD5: fal3c7049ael4be0cf2f651 fb2fa74ba 
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MD5: ba5e47e0ed7b96a34b716caee0990ea3 
MD5: e67e56643f73ed3f6027253d9b5bdfac 
MD5: 8b0de5eabc27d37fa97d2b998ffd841a 
MD5: 2944bl437dle8825585eea3737216776 
MD5: 0ab654850416e347468a02ca5a369382 
MD5: 4e372e5dl e2bd3fa 68b85f6dl f861087 
MD5: 696a9b85230a315cfe393d9335cae 770 
MD5: 04343c3269c33a5613ac5860ddb2ab81 
MD5: 384a496cd4c2bcl327c225el 9edbee54 
MD5: a44b2380cdac36f9dfb460f8fbff3714 
MD5: 9e2a83adb079048dl c421afaf56a 73a6 
MD5: e377c7ad8ab55226e491d40bf914e749 
MD5: 46c7c70e30495b4b60belc58a4397320 


MD5: 841890281 b7216e8c8eal953b255881 e 



MD5: 4392f490e6ee553ff7a 7b3c4bdl ddl3f 


MD5: eeeda 63bee6d2704cf6f77f2fb8431 cd 
MD5: b68el83884ce980e300c93dfa375bbl f 
MD5: 7990fb5c676bbcd0a6168ea0f8a0cld7 
MD5: adc2504394 74d38212773el 61 dadd6b4 
MD5: 075ae09c016df3c7eb3d402d96fc2528 
MD5: d03b5bf4a905879d9b93b6e81fclca55 
MD5: 00c62c8a9f2cf7140b67acec477e6al4 
MD5: b228fae216a9564192fa2153ae911 d54 
MD5: 2f778fc3a22b 7d5feb0a357c850bdd0d 
MD5: 9080f3a0dfde30aa8afa64f7c3f5d79a 
MD5: 526cl fl 0f94544344del 2abec96cf96f 
MD5: 4d8ddc8d5f6698a6690985ca86b3de00 
MD5:1 a 7bb0c9b 79dl 604b4de5b0015202d 02 
MD5: 528be69afad5a5e6beb7b40aeb656160 
MD5:1769flb5beae58c09e5elaac9249f5de 
MD5: 6fb86421ea607ed6c912a3796739ce9b 
MD5: 22e36b887946e457964a2a28a756aled 
MD5: 31a7816al458321736979e0efdd3d20f 


MD5: 113572249856fe5f2848dl add06de758 



MD5: a8a002732c5a4959afbf034d37992b5d 

MD5: 413a9116362ab8fb9ba622cc98c788bl 

MD5: 4abb29fe3ec3239d93f7adbc8cb70259 

MD5: 989bea3435e5ac5b8951baa07d356526 

MD5: 9a966076fll4fbffc5cdbf5a90b3fd01 

MD5:14e64da2094ablaael3dl62107c504ec 

MD5: 96bb6df37daef5b8de39ceael e3a 7396 

MD5: d864369a0e8687ad3f89b693be84c8eb 

MD5: 26b8b2c06el604daee6bfe783a82479e 

MD5: 63b922c94338862e7b9605546af2efl4 

MD5: 19bal497f088d850bd3902288bb3bd92 

MD5: 96bb6df37daef5b8de39ceael e3a 7396 

MD5: d864369a0e8687ad3f89b693be84c8eb 

MD5: 26b8b2c06el604daee6bfe783a82479e 

Malicious MD5s known to have made HTTP 
(monetization) requests to the same IP 
(208.73.211.152): 
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MD5: db0aac72ed6d56497e494418132d7a41 
MD5: aa47bd20f8a00e354633d930a3ebcbl 9 
MD5: a957e914f697639df7dfb8483a88483b 



MD5: a0b7b01a0574106317527e436e515fd3 


MD5: 3d0d834fe 7ca583ca6ed056392f4413d 
MD5: fa342104b329978cba33639311afe446 
MD5: f3b3e8b98bdfb6673da6d39847aeclb3 
MD5: 3ef52b2fd086094b591 ebOlbc32947c8 
MD5: 128e70484a9fl9ab9096fb9bl969bf89 
MD5: ee7dc2d2c7d33855b4dd86ae6243ad22 
MD5: 6fc317b6f66d73903ffe8dl2df72e5f7 
MD5: 3800a4a6d6620aal5db7ea717b4dl0f5 
MD5: 830bbfcaa499de30ab08a510ce4cbba2 
MD5: 085afd7f26f388bd62bc53ed430fbbc6 
MD5: 3035el20ce08fl824817e0d6eaecc806 
MD5: d4db511618c52272e58f4c334414ed6e 
MD5: dc4ab086d50dcdcd5ae060acfe9bddca 
MD5: c2bc9e266857537699fdl0142658bf31 
MD5: 9e6ab643d34a6c37b6150aeb8a2e5adb 
MD5: b6bb96470ef67c26c0a0e8a4dl45c 169 
MD5: f5aa326e0b5322d7ac4 7a379el el cl f8 
MD5: dcOfScOl d8deaabe9d5 7d31 f9daf50b9 


MD5: 4a42c42e7acd9ff32ebbl8efc2d5b801 



MD5: a254b2824867e05d52c60e0464121588 


MD5: 7e612f7ac81 ccddb368d3c9e4 7c9942a 

MD5: 66cec28f23b692ff2019c70a 76894c41 

This case is a great example of one of the core practices 
when profiling cybercrime incidents and campaigns -> 

sample everything, as what you're originally seeing is just 
the tip of the iceberg. 

Related posts: 

[IjClick Fraud, Botnets and Parked Domains - All 
Inclusive 

[2]A Commercial Click Fraud Tool 

This post has been reproduced from [3]Dane ho 
Danchev's biog. Follow him [4]on Twitter 

1. httD://ddanchev.blo as DOt.com/2008/07/click-fraud- 
botnets-and-Darked-domains.html 

2. httD://ddanchev.blo as Dot.com/2007/08/commercial-click- 
fraud-tool.html 

3. httD://ddanchev.blo as DOt.com/ 

4. httD://twitter.com/danchodanchev 
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Bogus "Shocking Video" Content at Scribd Exposes 
Malware Monetization Scheme Through Parked Do- 












mains (2013-06-20 22:44) 

Bogus content populating Scribd, centralized 
malicious/typosquatted/parked domains/fraudulent 
infrastructure, 

combined with dozens of malware samples phoning back to 
this very same infrastructure to monetize the fraudulently 

generated traffic, it doesn't get any better than this, does it? 

URL redirection chain: 

hxxp://papa ver in/shocking/scr68237 
-> 

hxxp://dsnetservices.com/?epl=98EbooDNwLit- 

qQViA4tbYD7JMZAQuEUyV387pMY 

NBODms0CdAg9qAe5QvBgiaO6xW6JHWliYo5F8yDlvYx 

7Aa vd8wLHmZwHDIItbG4Eta- 

G VtiO3i9LlnzyK0 Yg Wm T2BOaEeaipahFIE8yB 7mC 

EBrQzXXtQBVUSIMGIEwTo9iUpOlyDUOM 

0mZKYz5pf6qGIAA g YN 

_ vvwAA4H8BAABAgFsLAADgPokxWVMm WUExNmhaQqA 
AAADw-> monetization through 

Google/MSN 
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Domain names reconnaissance: 


papaver.in - 69.43.161.176 - Email: 
belcanto@hushmail.com - Belcanto Investment Group 

dsnetservices.com - 208.73.211.152 - Email: 
admin@overseedomainmanagement.com - Oversee Domain 
Manage¬ 
ment, LLC 
251 

The following related domains are also registered 
with the same email (belcanto@hushmail.com): 

4cheapsmoke. com 

777payday.com 

aboutforexincome. com 

agroindusfinance. com 

atvcrazycom 

bbbamericashop. com 

bizquipleasing. com 

cashforcrisis. com 

cashmores-cara vans, com 

cashswim.com 

cheapbuyworld. com 

cheaptobbacco. com 
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cheapuc.com 
debtheadaches. com 
debtonatorct. com 
gcecenter.com 
goldforcashevents. com 
studioshc.com 
thestandardjournal. com 
tra velgurur. com 
atlanticlimos. net 
bethelgroup.net 
caravanningnews.net 
casting-escort, net 
cheapersaies. net 
couriernetwork. net 
dragonarttattoo. net 
girigeniusoniine.net 
madameshairbeauty.net 
manchester-escort. net 
mygiriythings. net 



vocabhelp.net 
cheapmodelships. conn 
financialdebtfree. com 
mskoffice.com 
cashacll.com 

apollohealthinsurance. com 
nieportal.com 
piayfoupets. com 
wducation.com 
carwrappingtorino.net 
ere weaiexuitras. net 
diamondsmassage.net 
isieofwightferries. org 
migiioje weiiery. org 
mind-quad.org 
moneyinfo. us 
2daysdietsiim. com 
999cashiiine. com 
capitaifinanceome. com 
capitiefinanceone. com 



captialfinanceone. com 
carehireinsurance. com 
cashadvaceusa. com 
cashadvancesupprt. com 
cashdayday com 
cashgftingxpress. com 
cashginie.com 
cashsoitionsuk. com 
cathayairiinescheapfare. com 
cheapaddidastops. com 
cheapaparmets. com 
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cheapariaoftguns. com 
cheapcheapcompters. com 
cheapdeaisinmaita.com 
cheapdeaisoriando. com 
cheapeestees. com 
cheapetickete. com 
cheapeygpthoiidays. com 
cheapfaresairiines. com 



cheap-flighs. com 
cheapflyithys. com 
cheapfreestylebmx. com 
cheapgoldjewelery com 
cheaphnoels. com 
cheapholidaysites. com 
cheaphotellakegeorge. com 
cheap la wn bowls, com 
cheapmlalairsoft.com 
cheapmetalsticksdiablo. com 
cheapmpwers. com 
cheapmsells. com 
cheapotickeds. com 
cheapottickets. com 
cheapprotien. com 
cheapryobicordlesstools. com 
cheap-smell, com 
cheapsmellscom. com 
cheapsmes.com 
cheapsscents. com 



cheapstockers. com 
cheapsummerdresser com 
cheaptents4sale. com 
cheaptertextbooks. com 
cheaptikesps. com 
cheaptrainfairs. com 
cheaptstickts. com 
cheaptunictops. com 
cheapuksupplement com 
cheapversacedothes. com 
cheapviagra4u.com 
cliutterdiet. com 
cocheaptickets. com 
dailcheapreads. com 
dcashstudious. com 
debtinyou.com 
diabetesdietspians. com 
dietaetreino. com 
dietcetresuits. com 


dietcheff.com 



dietdessertndgos. com 
dietemaxbrasil. com 
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dietopan.com 

disco veryremortgages. com 
dmrbikescheap. com 
ferrry cheap, com 
financebiogspace. com 
firstieasingcompanyofindia. com 
firstresponcefinance. com 
forexdirecotery. com 
forexfacdary. com 
foreximegadroid. com 
forextrading2u. com 
iitzcash.com 

insaneiycheapfights. com 
insurancenbanking. com 
inevenhotei.net 


isiamic-bank. us 


italyonlinebet. com 
mSmotorsite. com 
255 

Out of the hundreds of domains known to have 
phoned back to the same IP in the past, the 
following are particularly interesting: 

motors.shop. ebay, com-cars-trucks-9722711 .Isvvo. net 

motors.shop.ebay.com-trucks-cars-922.lsvvo.net 

paupal.it 

pay pa. com. login.php. nahda-online. com 

paypal-secure. bengalurban. com 

pay pal. com-cgi. bin-webscr. cmd. login.submit- 
dispatch.5885d80a.l3c0dbl f8. e263663. 

d3 fa¬ 
ce. 38deaa3.e263663. login.submit. 3. webrocha.com 

pay pa i. com-cgi. bin-webscr. cmd. login.submit- 
dispatch.5885d80a.l3c0dbl f8. e263663. 

d3 fa¬ 
ce. 38deaa3. e263663. login.submit. 4. webrocha. com 

pay pa i. com. update, service, cgi. bin. webscr. cmd. login- 
submit. modernstuf com 



pay pal. com. update.service, cgi. bin. webscr. cmd.login.submit, 
modernstuf. com 

pay pal. com. us. cgi-bin. webscr-cmd. log in- 
run. dispatch.5885d80al3c0dbl f8e263663d3f 


aee8d43blbb6ca6ed6aee8d43bl6cv27bc. 

darealsmooth vee. com 

pay pa i. it. bengalurban. com 

Malicious MD5s known to have made HTTP 
(monetization) requests to the same IP 
(69.43.161.176): 

MD5: 7fa 7500cd90bd75ae52a4 7e5cl 8ba800 
MD5: 84b28cf33dee08531a6ece603ca92451 
MD5: f04ce06f5bl c89414cbl ff9219401a0e 
MD5: b2019625e4fd41 ca9d70b07f2038803e 
MD5: 6cfb98ac63b37c20529c43923bcb257c 
MD5: 04641dbafe3dl2b00a6b0cd84fba557f 
MD5: 024 76b31 f2cdc2b02b8efl eOO72d4eb2 
MD5: 0d5a69fa 766343f77630aa936bb64722 
MD5: 57f7520b3958031336822926ed0dl0b5 


MD5: 00d08bl 63a86008cbe3349e4 794ae3c0 



MD5: 8dd2223daladla555361c67794eb7e24 


MD5: 737309010740c2cl fba3d989233cl99c 
MD5: eb3043el3dd8bb34a4a8b75612fe401e 
MD5: eb4737492d9abcc4bd43bl2305c4b2fc 
MD5: 6257b9c3239db33a6c52a8ecb2135964 
MD5: 481366b6e867af0d47a6642e07d61fl0 
MD5: d58b7158b3bl fb072098dba98dd82ed5 
MD5: 9dd425b00b851 f6c63ae069abbbec037 
MD5: 6b0c07ce5fflc3a47685f7be9793dce5 
MD5: b2b5e82177a3beb917f9ddla9a2cf91c 
MD5: 05070da990475ac3e039783df4e503bc 
MD5: C332dd499cdba9087d0c4632a76c59f0 
MD5: 0768764fbbeb84daa5641f099159ee7f 
MD5: 843b44c77e47680aa4b274eeelaad4e7 
MD5: 36f92066703690dfl cl 1570633c93e 73 
MD5: 0504b00c51b0d96afd3bea84a9a242a2 
MD5: 8b0de5eabc27d37fa97d2b998ffd841a 
MD5: 2944bl437dle8825585eea3737216776 
MD5: fal3c7049ael4be0cf2f651 fb2fa74ba 
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MD5: ba5e47e0ed7b96a34b716caee0990ea3 


MD5: e67e56643f73ed3f6027253d9b5bdfac 
MD5: 8b0de5eabc27d37fa97d2b998ffd841a 
MD5: 2944bl437dle8825585eea3737216776 
MD5: 0ab654850416e347468a02ca5a369382 
MD5: 4e372e5dl e2bd3fa 68b85f6dl f861087 
MD5: 696a9b85230a315cfe393d9335cae770 
MD5: 04343c3269c33a5613ac5860ddb2ab81 
MD5: 384a496cd4c2bcl327c225el 9edbee54 
MD5: a44b2380cdac36f9dfb460f8fbff3714 
MD5: 9e2a83adb079048dl c421afaf56a 73a6 
MD5: e377c7ad8ab55226e491d40bf914e749 
MD5: 46c7c70e30495b4b60belc58a4397320 
MD5: 841890281 b7216e8c8eal953b255881 e 
MD5: 4392f490e6ee553ff7a 7b3c4bdl ddl 3f 
MD5: eeeda 63bee6d2704cf6f77f2fb8431 cd 
MD5: b68el83884ce980e300c93dfa375bbl f 
MD5: 7990fb5c676bbcd0a6168ea0f8a0cld7 
MD5: adc2504394 74d38212773el 61 dadd6b4 


MD5: 075ae09c016df3c7eb3d402d96fc2528 



MD5: d03b5bf4a905879d9b93b6e81fclca55 


MD5: 00c62c8a9f2cf7140b67acec477e6al4 
MD5: b228fae216a9564192fa2153ae911 d54 
MD5: 2f778fc3a22b 7d5feb0a357c850bdd0d 
MD5: 9080f3a0dfde30aa8afa64f7c3f5d79a 
MD5: 526cl fl 0f94544344del 2abec96cf96f 
MD5: 4d8ddc8d5f6698a6690985ca86b3de00 
MD5: 1 a 7bb0c9b 79dl 604b4de5b0015202d 02 
MD5: 528be69afad5a5e6beb7b40aeb656160 
MD5:1769flb5beae58c09e5elaac9249f5de 
MD5: 6fb86421ea607ed6c912a3796739ce9b 
MD5: 22e36b887946e457964a2a28a756aled 
MD5: 31a7816al458321736979e0cfdd3d20f 
MD5: 113572249856fc5f2848dl add06dc758 
MD5: a8a002732c5a4959afbf034d37992b5d 
MD5: 413a9116362ab8fb9ba622cc98c788bl 
MD5: 4abb29fe3ec3239d93f7adbc8cb70259 
MD5: 989bea3435e5ac5b8951baa07d356526 
MD5: 9a966076fll4fbffc5cdbf5a90b3fd01 


MD5:14e64da2094ablaael3dl62107c504ec 



MD5: 96bb6df37daef5b8de39ceael e3a 7396 

MD5: d864369a0e8687ad3f89b693be84c8eb 

MD5: 26b8b2c06el604daee6bfe783a82479e 

MD5: 63b922c94338862e7b9605546af2efl4 

MD5: 19bal497f088d850bd3902288bb3bd92 

MD5: 96bb6df37daef5b8de39ceael e3a 7396 

MD5: d864369a0e8687ad3f89b693be84c8eb 

MD5: 26b8b2c06el604daee6bfe783a82479e 

Malicious MD5s known to have made HTTP 
(monetization) requests to the same IP 
(208.73.211.152): 
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MD5: db0aac72ed6d56497e494418132d7a41 
MD5: aa47bd20f8a00e354633d930a3ebcbl 9 
MD5: a957e914f697639df7dfb8483a88483b 
MD5: a0b7b01a0574106317527e436e515fd3 
MD5: 3d0d834fe 7ca583ca6ed056392f4413d 
MD5: fa342104b329978cba33639311afe446 
MD5: f3b3e8b98bdfb6673da6d39847aeclb3 
MD5: 3ef52b2fd086094b591 ebOl bc32947c8 
MD5: 128e70484a9fl9ab9096fb9bl969bf89 



MD5: ee7dc2d2c7d33855b4dd86ae6243ad22 

MD5: 6fc317b6f66d73903ffe8dl2df72e5f7 

MD5: 3800a4a6d6620aal5db7ea717b4dl0f5 

MD5: 830bbfcaa499de30ab08a510ce4cbba2 

MD5: 085afd7f26f388bd62bc53ed430fbbc6 

MD5: 3035el20ce08fl824817e0d6eaecc806 

MD5: d4db511618c52272e58f4c334414ed6e 

MD5: dc4ab086d50dcdcd5ae060acfe9bddca 

MD5: c2bc9e266857537699fdl0142658bf31 

MD5: 9e6ab643d34a6c37b6150aeb8a2e5adb 

MD5: b6bb96470ef67c26c0a0e8a4dl45cl69 

MD5: f5aa326e0b5322d7ac4 7a379el el cl f8 

MD5: dcOfScOl d8deaabe9d5 7d31 f9daf50b9 

MD5: 4a42c42e7acd9ff32ebbl 8efc2d5b801 

MD5: a254b2824867e05d52c60e0464121588 

MD5: 7e612f7ac81 ccddb368d3c9e4 7c9942a 

MD5: 66cec28f23b692ff2019c70a 76894c41 

This case is a great example of one of the core practices 
when profiling cybercrime incidents and campaigns -> 

sample everything, as what you're originally seeing is just 
the tip of the iceberg. 



Related posts: 

[1] Click Fraud, Botnets and Parked Domains - All 
Inclusive 

[2] A Commercial Click Fraud Tool 

1. httD://ddanchev.blo as DOt.com/2008/07/click-fraud- 
botnets-and-Darked-domains.html 

2. httD://ddanchev.blo as Dot.com/2007/08/commercial-click- 
fraud-tool.html 
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Fake 'Rihanna & Chris Brown S3X Video' Spam 
Campaign Spreading Across Facebook, Monetized 
Through 

Adf Dot Ly PPC Links (2013-06-22 10:56) 

A currently ongoing, click-jacking driven spam campaign is 
circulating across Facebook, with the affected users 

further spreading the adf.ly links on the Walls of their 
friends, in between tagging them, with the cybercrimi¬ 
nal/cybercriminals behind the campaign, earning revenue 
through the adf.ly pay-per-click (PPC) monetization 

scheme. 

Redirection chain: 

hxxp://adf Iy/Qrd2f?cid=51 c3e798a ff9a 









hxxp://rihannaofficialvideo. blog spot, de/7231514 


hxxp://www.smilegags. com/watch/Jack.php ?action=connect 
&cid=51 c3e798a ff9a - > hxxp://lolzbestpic. com 
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MD5s for the Facebook spamming/click-jacking 
scripts: 

MD5: fe97840bd2af654acdb63fd80b094531 
MD5: f8a360728a896d40bbb0fl90375fb6f6 
MD5: bae32ffd43ac2f518dafeedb8901 e2de 
MD5: 90fa366b8affac24fel 82b 7b5de51 bl 6 

Domain name reconnaissance: 
smilegags.com - 184.107.164.158 
lolzbestpic.com -64.79.76.226 
Name servers used: 

Name Server: NSl.PYARISHQ.INFO 
Name Server: N52.PYARI5HQ.INF0 
Name Server: N51.HOSTING.XLHOST.COM 
Name Server: N52.HOSTING.XLHOST.COM 


Responding to the same IP (184.107.164.158) are 
also the following domains: 

amasave.com 

wikilieaksvideo. com 

nsl.pyarishq. info 

ns2.pyarishq. info 

Known to have responded to the same IP 
(184.107.164.158) in the past are also the following 
domains: 

costcochristmas. com 
costcogives. com 
giftcardgra tis. com 
ica givings, com 
iomanako.com 
picknpaygives. com 
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remabiiaget. com 
rewegives. com 
vodka foryou. info 
top videosweden. com 



Responding to (64.79.76.226) is also the following 
domain: 

si la Ii. info 

Known to have responded to the same IP 
(64.79.76.226) is also the following domain: 

pronnvideo.pw 

Related posts: 

[1] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[2] Malware-Serving "Who's Viewed Your Facebook Profile" 
Campaign Spreading Across Facebook 

[3] Fake 'Facebook Profile Spy Application' Campaign 
Spreading Across Facebook 

[4] Phishing Campaign Spreading Across Facebook 

[5] Facebook Malware Campaigns Rotating Tactics 

[6] MySpace Phishers Now Targeting Facebook 

[7] Facebook Photo Album Themed Malware Campaign, Mass 
SQL Injection Attacks Courtesy of AS42560 

[8] Facebook/AOL Update Tool Spam Campaign Serving 
Crimeware and Client-Side Exploits 

This post has been reproduced from [9]Dancho 
Danchev's biog. Follow him [10]on Twitter 

1. httD://ddanchev.blo as Dot.com/2009/10/koobface-botnet- 
redirects-facebooks-iD.html 






2. http://ddanchev.blo as Dot.com/2013/06/malware-servin a- 
whos-viewed-vour.html 


3. http://ddanchev.blo as pot.eom/2013/05/fake-facebook- 
profile-s pv-ap plication.html 

4. http://ddanchev.blo as pot.eom/2008/06/phishin a- 
campai a n-spreadin a -across.html 

5. http://ddanchev.blo as pot.eom/2008/08/facebook- 
malware-campai a ns-rotatin a .html 

6. http://ddanchev.blo as pot.eom/2008/01/m vs pace- 
phishers-now-tar a etin a -facebook.html 

7. http://ddanchev.blo as pot.eom/2010/06/facebook-photo- 
album-themed-malware.html 


8. http://ddanchev.blo as pot.eom/2010/01/facebookaol- 
u pdate-tool-spam-campai a n.html 

9. http://ddanchev.blo as pot.com/ 

10. http://twitter.com/danchodanchev 
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Fake 'Rihanna & Chris Brown S3X Video' Spam 
Campaign Spreading Across Facebook, Monetized 
Through 

Adf Dot Ly PPC Links (2013-06-22 10:56) 

A currently ongoing, click-jacking driven spam campaign is 
circulating across Facebook, with the affected users 







































further spreading the adf.ly links on the Walls of their 
friends, in between tagging them, with the cybercrimi¬ 
nal/cybercriminals behind the campaign, earning revenue 
through the adf.ly pay-per-click (PPC) monetization 

scheme. 

Redirection chain: 

hxxp://adf Iy/Qrd2f?cid=51 c3e798a ff9a 
-> 

hxxp://rihannaofficialvideo. blog spot. de/?231514 
-> 

hxxp://www.smilegags. com/watch/jack, php ?action=connect 
&cid=51 c3e798a ff9a - > hxxp://lolzbestpic. com 
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MD5s for the Facebook spamming/click-jacking 
scripts: 

MD5: fe97840bd2af654acdb63fd80b094531 
MD5: f8a360728a896d40bbb0fl90375fb6f6 
MD5: bae32ffd43ac2f518dafeedb8901 e2de 
MD5: 90fa366b8affac24fel 82b 7b5de51 bl 6 

Domain name reconnaissance: 
smilegags.com - 184.107.164.158 


lolzbestpic.com -64.79.76.226 
Name servers used: 

Name Server: NSl.PYARISHQ.INFO 

Name Server: N52.PYARI5HQ.INF0 

Name Server: N51.H0STING.XLH05T.COM 

Name Server: NS2.H05TING.XLH0ST.COM 

Responding to the same IP (184.107.164.158) are 
also the following domains: 

amasave.com 

wikilieaksvideo. com 

nsl.pyarishq. info 

ns2.pyarishq. info 

Known to have responded to the same IP 
(184.107.164.158) in the past are also the following 
domains: 

costcochristmas. com 
costcogives. com 
giftcardgra tis. com 
ica givings, com 
iomanako.com 
picknpaygives. com 
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remabilaget. com 
rewegives. com 
vodka foryou. info 
top videos weden. com 

Responding to (64.79.76.226) is also the following 
domain: 

siia a. info 

Known to have responded to the same IP 
(64.79.76.226) is also the following domain: 

promvideo.pw 

Related posts: 

[1] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[2] Malware-Serving "Who's Viewed Your Facebook Profile" 
Campaign Spreading Across Facebook 

[3] Fake 'Facebook Profile Spy Application' Campaign 
Spreading Across Facebook 

[4] Phishing Campaign Spreading Across Facebook 

[5] Facebook Malware Campaigns Rotating Tactics 

[6] MySpace Phishers Now Targeting Facebook 



[7] Facebook Photo Album Themed Malware Campaign, Mass 
SQL Injection Attacks Courtesy of AS42560 

[8] Facebook/AOL Update Tool Spam Campaign Serving 
Crimeware and Client-Side Exploits 

1. httD://ddanchev.blo as DOt.com/2009/10/koobface-botnet- 
redirects-facebooks-iD.html 

2. http://ddanchev.blo as DOt.com/2013/06/malware-servin g- 
whos-viewed-vour.html 

3. http://ddanchev.blo as pot.eom/2013/05/fake-facebook- 
profile-s pv-ap plication.html 

4. http://ddanchev.blo as pot.eom/2008/06/phishin a- 
campai a n-spreadin a -across.html 

5. http://ddanchev.blo as pot.eom/2008/08/facebook- 
malware-campai a ns-rotatin a .html 

6. http://ddanchev.blo as pot.eom/2008/01/m vs pace- 
phishers-now-tar a etin a -facebook.html 

7. http://ddanchev.blo as pot.eom/2010/06/facebook-photo- 
album-themed-malware.html 


8. http://ddanchev.blo as pot.eom/2010/01/facebookaol- 
u pdate-tool-spam-campai a n.html 
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Summarizing Webroot's Threat Blog Posts for June 
(2013-07-04 18:38) 

The following is a brief summary of all of my posts at 
[IJWebroot's Threat Blog forjune, 2013. You can 
subscribe to 

[2]Webroot's Threat Blog RSS Feed, or follow me on 
Twitter: 


01 . 

[3]Compromisecl FTP/SSH account privilege-escalating mass 
iFrame embedding platform released on the 

underground marketplace 

02. [4]New E-shop sells access to thousands of hacked PCs, 
accepts Bitcoin 

03. [5]Pharmaceutical scammers impersonate Facebook's 
Notification System, entice users into purchasing counter¬ 
feit drugs 

04. [6]iLivid ads lead to 'Searchqu Toolbar/Search Suite' 
PUA (Potentially Unwanted Application) 

05. [7]Hacked Origin, Uplay, Hulu Plus, Netflix, Spotify, 
Skype, Twitter, Instagram, Tumbir, Freelancer accounts 

offered for sale 

06. [8]Scammers impersonate the UN Refugee Agency 
(UNHCR), seek your credit card details 


07. [9]Fake 'Unsuccessful Fax Transmission' themed emails 
lead to malware 

08. [10]Tens of thousands of spamvertised emails lead to 
W32/Casonline 

09. [ll]Rogue ads lead to SafeMonitorApp Potentially 
Unwanted Application (PUA) 

10. [12]How cybercriminals apply Quality Assurance (QA) 
to their malware campaigns before launching them 

11. [13]Rogue ads target EU users, expose them to 
Win32/Toolbar.SearchSuite through the KingTranslate PUA 

12. [14]New boutique iFrame crypting service spotted in 
the wild 

13. [15]Rogue 'Oops Video Player' attempts to visually 
social engineer users, mimicks Adobe Flash Player's 
installation process 
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14. [16]New E-Shop sells access to thousands of malware- 
infected hosts, accepts Bitcoin 

15. [17]New subscription-based SHA256/Scrypt supporting 
stealth DIY Bitcoin mining tool spotted in the wild 

16. [18]Rogue 'Free Mozilla Firefox Download' ads lead to 
'InstallCore' Potentially Unwanted Application (PUA) 

17. [19]SIP-based API-supporting fake caller ID/SMS number 
supporting DIY Russian service spotted in the wild 

18. [20]Rogue 'Free Codec Pack' ads lead to 
Win32/lnstallCore Potentially Unwanted Application (PUA) 



19. [21]Self-propagating ZeuS-based source code/binaries 
offered for sale 

20. [22]How cybercriminals create and operate Android- 
based botnets 

This post has been reproduced from [23]Dancho 
Danchev's biog. Follow him [24]on Twitter. 

1. http://blo a .webroot.com/ 

2. http://feeds2.feedburner.com/WebrootThreatBlo a 

3. 

http://blo a .webroot.eom/2013/06/03/compromised-ftpssh- 

account-privile a e-escalatin a -mass-iframe-embeddin a- 

platform-released-on-the-under a round-marketplace/ 

4. http://blo a .webroot.eom/2013/06/04/new-e-shop-sells- 
access-to-thousands-of-hacked-pcs-accepts-bitcoin/ 

5. http://blo a .webroot.eom/2013/06/05/pharmaceutical- 
scammers-impersonate-facebooks-notification-svstem-enti 

ce-users-into-purchasin g -counterfeit-dru as/ 

6. http://blo a .webroot.eom/2013/06/06/ilivid-ads-lead-to- 
searchau-toolbarsearch-suite-pua-potentiallv-unwant 

ed-a p plication/ 

7. 

http://blo a .webroot.eom/2013/06/07/hacked-ori a in-upla v- 

hulu-plus-netflix-spotifv-sk v pe-twitter-insta a ram- 

















































tumblr-freelancer-accounts-offered-for-sale/ 


8. httD://blo a .webroot.com/2013/06/10/scammers- 
impersonate-the-un-refu g ee-a a encv-unhcr-seek-vour-credit- 
card 

s-details/ 

9. http://blo a .webroot.eom/2013/06/ll/fake-unsuccessful- 
fax-transmission-themed-emails-lead-to-malware/ 

10. http://blo a .webroot.eom/2013/06/12/tens-of-thousands- 
of-spamvertised-emails-lead-to-w32casonline/ 

11. http://blo a .webroot.eom/2013/06/13/ro a ue-ads-lead-to- 
safemonitora op- potentiallv-unwanted-a o plication-pua/ 

12. http://blo a .webroot.eom/2013/06/14/how- 
c vbercriminals-a pplv-a ualitv-assurance-aa-to-their-malware- 
camoai g 

ns-before-launchin g -them/ 

13. http://blo a .webroot.eom/2013/06/17/ro a ue-ads-tar a et- 
eu-users-expose-them-to-win32toolbar-searchsuite-thro 

ua h-the-kin a translate-pua/ 

14. http://blo a .webroot.eom/2013/06/18/new-boutiaue- 
iframe-cr v ptin g -service-spotted-in-the-wild/ 

15. http://blo a .webroot.eom/2013/06/19/ro a ue-oops-video- 
plaver-attemots-to-visuallv-social-en a ineer-users-mim 

icks-adobe-flash-olavers-installation-process/ 


16 . 






























































httD://blo a .webroot.com/2013/06/20/new-e-shoD-sells- 

access-to-thousands-of-malware-infected-hosts-acce p 

ts-bitcoin/ 

17. http://blo a .webroot.eom/2013/06/21/new-subscription- 
based-sha256scr v pt-su p portin a -stealth-div-bitcoin-min 

ing -tool-spotted-in-the-wild/ 

18. http://blo a .webroot.eom/2013/06/24/ro a ue-free-mozilla- 
fi refox-down load-ads-lead-to-installcore-potential I 

v-unwanted-a p plication-pua/ 

19. http://blo a .webroot.eom/2013/06/25/sip-based-a pi- 
sup portin a -fake-caller-idsms-number-su p portin g -div-russi 

an-service-spotted-in-the-wild/ 

20. http://blo a .webroot.eom/2013/06/26/ro a ue-free-codec- 
pack-ads-lead-to-win32installcore-potentiallv-unwante 

d-ao plication-pua/ 

21. http://blo a .webroot.eom/2013/06/27/self-pro paa atin a- 
zeus-based-source-codebinaries-offered-for-sale/ 

22. http://blo a .webroot.eom/2013/06/28/how- 
c vbercriminals-create-and-ooerate-android-based-botnets/ 

23. http://ddanchev.blo as pot.com/ 

24. http://twitter.com/danchodanchev 
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Newly Launched 'Scanned Fake Passports/IDs/Credit 
Cards/Utility Bills' Service Randomizes and Gener¬ 
ates Unique Fakes On The Fly (2013-07-04 19:42) 

In my most recent analysis of the [IJRussian underground 
marketplace for fake documents/IDs/passports, I 

emphasized on overall prevalence of fake identities, which 
can be both, manually 'crafted' by experienced designers 

possessing high quality scanned originals in order to 
produce physical copies, or automatically generated, with 
the 

users sacrificing quality in the process or looking for a 
bargain deal. 

What's also worth emphasizing on in terms of discussing 
this cybercrime ecosystem market segment from 

multiple perspectives, is the overall international 
acceptance of scanned identification documents for various 
remote 

identification purposes, which opens doors to the systematic 
abuse of a vast number of legitimate services, as well 

as helps facilitate the generation of fake personalities, 
which can be abused in a any way the fraudster desires. 

What are some of the latest developments within this 
cybercrime ecosystem market segment? The introduc¬ 
tion of a scalable, [2]DIY (do it yourself) self-service on 
the basis of a pseudo-randomized database of fake identity 



data, photo IDs with randomized appearance characteristics 
on the fake scanned documents, to avoid detection of a 

single pattern, all available as a service, as of June, 2013. 

Basically, what this service does, is to provide a DIY Web 
based interface where users can take advantage of 

the on-the-fly generation of fake scanned copies of 
identification documents such as passports/IDs or credit 
cards. 

According to the vendor, the service has an inventory of 
over 200 photos for passports and IDs, is completely 

randomizing multiple aspects of the generated scanned 
fakes, in an attempt to mitigate the probability of having an 

entire set of statically generated fakes, easily detected by, 
for instance, law enforcement. 

The vendor also claims that the service can generate a fake 
in approximately 40 seconds. Payment methods 

accepted? WebMoney, PerfectMoney, Bitcoin and Paymer. 

Sample screenshots of sample scanned fakes 
generated using the service, and offered as samples: 
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Sample screenshots of the fake scanned utility 
bills/credit cards generated using the service: 
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Financial institutions part of the service's inventory 
of fake scanned credit cards: 

- Amegybank 

- Barclays 

- Bpn 


















- Boa 


- Capital One 

- Chase 

- Cibs 

- Citibank 

- Citizens 

- Commonwealth 

- Harborstone 

- Hfds 

- Icba 
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- Nab 

- Natwest 

- Navy Federal 

- Nordstrombank 

- Rbs 

- Silverton 

- Societegenerale 

- Sparkasse 


- Union Plus 



- US Bank 


- Wachovia 

- Wells Fargo 

- Westpac 

With scanned IDs continuing to act as the primary (remote) 
identification factor for a huge number of legiti¬ 
mate companies, it shouldn't be surprising that 
cybercriminals have apparently found a way to automate the 
process, 

allowing it to scale, and eventually grow, with the efficiency- 
centered model becoming the de factor standard for 

[3]Quality Assurance (QA) within the cybercrime 
ecosystem. 

This post has been reproduced from [4]Dancho 
Danchev's blog. Follow him [5]on Twitter. 

1. httD://ddanchev.blo as DOt.com/2013/05/a-Deek-inside- 
russian-under a round.html 

2. httD://blo a .webroot.com/ta a /di v/ 

3. httD://blo a .webroot.com/ta a/a ualitv-assurance/ 

4. httD://ddanchev.blo as DOt.com/ 

5. httD://twitter.com/danchodanchev 
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Newly Launched 'Scanned Fake Passports/IDs/Credit 
Cards/Utility Bills' Service Randomizes and Gener¬ 
ates Unique Fakes On The Fly (2013-07-04 19:42) 

In my most recent analysis of the [l]Russian underground 
marketplace for fake documents/IDs/passports, I 

emphasized on overall prevalence of fake identities, which 
can be both, manually 'crafted' by experienced designers 

possessing high quality scanned originals in order to produce 
physical copies, or automatically generated, with the 

users sacrificing quality in the process or looking for a 
bargain deal. 

What's also worth emphasizing on in terms of discussing this 
cybercrime ecosystem market segment from 

multiple perspectives, is the overall international acceptance 
of scanned identification documents for various remote 

identification purposes, which opens doors to the systematic 
abuse of a vast number of legitimate services, as well 

as helps facilitate the generation of fake personalities, which 
can be abused in a any way the fraudster desires. 

What are some of the latest developments within this 
cybercrime ecosystem market segment? The introduc¬ 
tion of a scalable, [2]DIY (do it yourself) self-service on the 
basis of a pseudo-randomized database of fake identity data, 
photo IDs with randomized appearance characteristics on the 
fake scanned documents, to avoid detection of a 

single pattern, all available as a service, as of June, 2013. 



Basically, what this service does, is to provide a DIY Web 
based interface where users can take advantage of 

the on-the-fly generation of fake scanned copies of 
identification documents such as passports/IDs or credit 
cards. 

According to the vendor, the service has an inventory of over 
200 photos for passports and IDs, is completely 

randomizing multiple aspects of the generated scanned 
fakes, in an attempt to mitigate the probability of having an 

entire set of statically generated fakes, easily detected by, 
for instance, law enforcement. 

The vendor also claims that the service can generate a fake 
in approximately 40 seconds. Payment methods 

accepted? WebMoney, PerfectMoney, Bitcoin and Paymer. 

Sample screenshots of sample scanned fakes 
generated using the service, and offered as samples: 
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onMCAHME noncA; 

1. NOMEP rUtfCnOTTA 

2 . 

4. z^TA POMjgmn 

5. MCCTO POJR/lCNItR 

6. non 

7. nOOfWKh 


ABOUT SCAN: 

] . PASSPORT NUMBER 

2. SURNAME 

3. NAME 

4. DOB 

5. PLACE OF Borm 
B.SCX 

7. SIGNATURE 


NF1S3426<8CAN900601SM141014S<<<<<<<<<<<<<<07 
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onHCANMC noncA: 

1. HOMCP RACCnOrTA 

2. MHKnMA 

4' AATA P0}KAE»MA 

5. MfCTO POXAEHMfl 

6. non 

7. noAOMa 


AdOUTSCAM; 

I. PASSAOAT NUMeeR 
2.SURMAMC 
1 NAHC 

4. D06 

5. PIACE 07 BIRm 
(.SEX 

7. SCNATURC 
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OriMCAHME nO/lEA: 

1. AOPEC-rOWDfl 

2. AOKC ■ y/1MIJA 

3. POCT 

< usrrrmo 

5. OPrAHM3AlUUI BtalAMUIAfl OCIKyMEHT 

6. AATA BfalAA'^M 

7. ipAMM/mX H MMO 


ABOUT SCAN: 

1. AOOftESS ■ cm 

2. AOOftESS • STREET 

3. HEIGHT 

A. EYESCOCOR 

5. AUTHORm 

6. DATE OF ISSUE 

7. SURNAME AND NAME 
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MOIfTSOM. 

1. SURMAMi (RUS) 

2. SURNAME (ENG) 

XNM«(RUS) 

4^NW<(ENO 

Sl MIDOU NA#« (RUS) 

A^OOS 

7. PlAa or HRTH (RUS) 
t. riACt or BWIM (tNC) 

A. PiAcc or avc (rus and cnc) 

lOi OKft or rASSRORT ISSUE 
It. CMME or CWATION 

12. SMHATUKE 


OTMCAHME 
(.•AMUMAHARKC 
2. •AMUMR HA Aten. 

).MMflHAry. 

4. MMR HA AHTA. 

S.OTNECTBO 
A. AATA POXODMR 
7. NECrO POOKflEHMR 
«. MKTO XMTtACTBA HA Py 
4. Micro nCTEACTBA HA ATCn 
l«l AATA ebAOAMM 

11. AATA ORO»r4AMttCrORAA(ACnMR 

12. nOATltCk 
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OnnCAHME nO/lEA: 

1. HOHEP riACCnOFTA 

2. •AHMilMfl 

3. NMfl 

4! OATA POX(AEHMfl 
S. MCCro P03KA1HM 
6 . 00 /) 

7. DQOnHCb 


ABOOTSCAN; 

1. PASSPORT NUHKR 

2. SURNAME 

3. NAME 

4. DOB 

5. PIACE OP BIRTH 
6 . SEX 

7. SIGNATURE 
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UwMSMM 

USA 


p<USAOAVIB«SHIf E»<«< ,o>A*496712<S56*0‘ 

,25*567897USA800620*«20l01l9258496n2 


5 


OntiCAHHE nO/1E(t: 

1. HOMEP riACCnOPTA 

2. «AMM/1Hfl 

3. HMfl 

4. OATA PO)KAEHMil 

5. MECTO POJKflEHVW 

6. A8TA BblAAHM RACCnOPTA 

7. AATA OKOHMAHMfl CPOKA AEACTSMB 

(3AnO/1H))ETCfl ABTOMATMMECKM) 

8. non 

9. noflnMCb 


ABOUT SCAN: 

1. PASSPOKT NUMBER 

2. SURNAME 

3. NAME 

4. DOB 

5. PtACE Of BIRTH 

6. DATE OF PASSPORT ISSUE 

7. DARE OF EXPIRATION (DATE OF ISSUE 4 10 YEARS) 

8. SEX 

9. SIGNATURE 
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lUTWiriEID STTATIES OIF AMEIRIBCA 

* PASSPORT CARO * 


P.i iSi) jr! .,TC Nc 

C15326485 


Nnti jficiiit'. 

USA 


Surnii mi.* 

SMITH 


( ' '■•'I’Sfi 

01 JAN 1970 


CONNECTICUT. U.S.A 


i Il-C O '. 

01 JAN 2023 


nr 


r<9lir 


01 JAN 2013 




Vy153676 


States oepartment of state 


Sample screenshots of the fake scanned utility 
bills/credit cards generated using the service: 
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Variant 1 



Variant 2 
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Variant 2 
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Amegybonk 

Barclays 

Bnp 

List of bonks that you Boa 

con order. Capital_0n6 

Chase 

Cibs 

Citibank 

Citizens 

Commonwealth 

Harborstone 

Hfds 

Icba 

Nab 

Natwest 

Navy.Federal 

Nordstrombank 

Rbs 

Silverton 

Societegenerale 

Sparkasse 

Union.plus 

Union.bank 

Usbank 

Wachovia 

Wells.Fargo 

Westpac 
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Variant 3 



Variant 4 



-L;JJiLl' •!' > '.‘ULi_J ' 

•a:*S?'S5'355SR2is.Tc5vrt\BEl 


US bank . m ax-' 


Variant 5 


r 



^J')U t .'•il'i . oP-' 
T£icsK5ft2S53ES2fc.-ri3Arr!aEI 

USbank 



Variant 6 



Variant 7 
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Variant 7 
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onMCAHME nonEA; 

1. ropofl nPoxcMBAHvm 

2 . 

3. HMR 
A. OTMECTBO 

5. y/IHUA nPOXMBAHHfl (nPOnHCKM) 


ABOUT SCAN: 

1. CITY Of LIVING 

2. SURNAME 

3. NAME 

4. MIOCH.E NAME 

5. STREET WITH HOUSE NUMBER (ADDRESS) 
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AtUntU aectric and Gas 


jowswm 

geCDCmAKDDBivt 

tONOON 

BEOfOBOSM** 

N 14 5 HJ 


/-- 

©Tsmwiil. 

electricity 


\ 

• M )20S t2& ^ 


0.,, jof." Sm,.l. 4.«o«.>t M 

Tr,.. .* »<«' .. w- cn, •«••''> 


303 



BritishGas 



ANOREA WHITE 
69 CROYtANO DRIVE 
BEDFORD 
MK42 9GH 


Good news • our gas rotes hove gone down ogoin 
We have leduced our gas rales for Ihc second bme ttws 

yew 

Our Commitment to You 

To re ce rve our Sooai Otilgaliom le«ne( deiaOnp a record 
of ihe performance of BrNish 0«s regafOng our soctai 
oMgaliortt to customers please cai 064S 9SS S200 Lines 
are open 6am to 6pm Monday to Fnday. 6am to 6pm 
Saturday 




QuetUonsT ^ www.house.co.uk/Mling 

0845955 5300 


WemOpM 

Vov cW» nwf b* i w a » »e ird 
• raeaMid lar oWTr 


tewitW MieuevWettMa 
ouan* vm* pM*Matn Iwa 

rw|p UK Id «nMw vM eW 


Customer Reference Number 8500 1435 3355 

Your gas bill 

Please pay C135.90 now 


Billing summary 

Baling period 14 Feb • 9 May 2013 


Your last bdl 

£262.01 s 

fidabd B 

Paymerds recerved * thank you 

£232 01 Postal Payment 

£262.01 S 

credi — 

Oat you‘ve used 

£120.46 = 

(actual reading) Ptoase turn over tor det*i 

-» = 

VAT at 8% 

Ci.47 = 

Please pay 

£118.00 B 

See betow tor woyt to f>sy. 


There you tor cfioosino Bnhsh Oas 

V 



Oe* MW PDM M««raK« ei 5442(607 

Financial institutions part of the service's inventory 
of fake scanned credit cards: 

- Amegybank 

- Barclays 

- Bpn 


















- Boa 


- Capital One 

- Chase 

- Cibs 

- Citibank 

- Citizens 

- Commonwealth 

- Harborstone 

- Hfds 

- Icba 
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- Nab 

- Natwest 

- Navy Federal 

- Nordstrombank 

- Rbs 

- Silverton 

- Societegenerale 

- Sparkasse 


- Union Plus 



- US Bank 


- Wachovia 

- Wells Fargo 

- Westpac 

With scanned IDs continuing to act as the primary (remote) 
identification factor for a huge number of legiti¬ 
mate companies, it shouldn't be surprising that 
cybercriminals have apparently found a way to automate the 
process, 

allowing it to scale, and eventually grow, with the efficiency- 
centered model becoming the de factor standard for 

[3]Quality Assurance (QA) within the cybercrime 
ecosystem. 

1. httD://ddanchev.blo as Dot.com/2Q13/05/a-Deek-inside- 
russian-under a round.html 

2. httD://blo a .webroot.com/ta a /di v/ 

3. httD://blo a .webroot.com/ta a/a ualitv-assurance/ 
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.::FNB(3iOTPBypass 


Thu. 29 Nov 2012 15:09:47 (UTC) Options Sign Out 


Accounts Roports 


Delete AJI Reports Dote Filter C All time From: From First ^To: To Last ^ Apply / Refresh 1 


Report Oete/T>me 

Browser 

IP eddress 

Logir> (ID) Commend 

State 

Message 

2012-11-29 15:03:09 

FF 

127.0.0.1 

qwel23 

blodced 

block^fake^shown 

Block fake shown, return command: 
Login blocked 

2012-11-29 15:02:30 

FF 

127.0.0.1 

qwel23 

we<_cmd 

otp_sobmited 

OTP token submited, return 
command: wart for commands 

2012-11-29 15:02:30 

FF 

127.0.0.1 

Qwel23 

otp 

otp.sobrr. ted 

OTP token submited: 1234 56, return 
command: Request OTP 


2012-11-29 15.01 _;;p^B^oTPBypass Thu, 29 nov 2012 IS: 10:43 (UTC) Options Signout 


2012-11-29 15:01 
2012-11-29 15:01 
2012-11-29 15:00 
2012-11-29 15:00 


Accounts 


Reports 


R*fr*sh D«l«t» 

Ail 

Commands: 

Block 

OTP Pas 5 Wart 



1 

L»st Login Timo 

Login (ID) 

Password 

OTP 

Current Commarvj 

Last State 

IP Address 

Logs 

' 2012-11-29 15:03:09 

qw»123 

qweqwe 

123456 

Login blocked 

Block fake shown 

127.0.0.1 

23 


A Peek Inside a Managed OTP/ATS/TAN Token 
Bypassing/Hijacking/Blocking System as a (Licensed) 
Ser¬ 
vice (2013-07-19 22:43) 

One of the most common questions that I get during Q &A 
sessions after a PPT, or in a face-to-face conversation is - 

" Hello, my name is [name], / represent [random financial 
institution]. Are we being targeted based on your situational 
awareness ?" 

For years, virtually every company, every brand, every 
financial institution has been targeted, largely thanks 

to the rise of Crimeware-as-a-Service underground market 
propositions offering standardized and cybercrime- 

release friendly 'Web Injects', the result of active pre-sale 
reconnaissance performed on the E-banking service of 

the targeted institution. The business model is fairly simple - 
next to 'pushing' a pre-defined set of 'Web Injects' for 



some of the largest and well known financial institutions in 
the World, 'Web Injects' for virtually any SSL/Two-Factor 

Authentication enabled Web site, can be requested and 
produced on demand, usually for a static amount of money. 

" But we issue two-factor authentication tokens to our 
customers. Isn't this making any change ?" 

Sophisticated cybercriminals possessing 'innovative' 
underground market disrupting forces, have been [l]un- 

dermining two-factor authentication for years. An 

uncomfortable truth that your financial institution of choice 

wouldn't necessarily want you to know about, as it would 
most commonly [2]risk-forward the responsibiiity to 
you, 

under a contractual agreement, or actually possess an 
industry-accepted certification for the operation of such 
online 

services, thanks to the introduction of two-factor 
authentication, and the internal security measures 
preventing a 

direct compromise of the financial institution's infrastructure. 

With source code for the [3]ZeuS crimeware, as well as 
[4]Carberp, publicly available for virtually anyone to 
download, it [5]shouldn't be surprising that 
[6]cybercriminals have started to release more 
crimeware, using these prominent releases, in an attempt to 
quickly capitalize on the source code that's been 
contributing to a huge 



percentage of the profitability of the cybercrime ecosystem 
in general. 

What are some of the latest 'innovations" in the world of 
Cybercrime-as-a-Service, in particular the market 

segment for "Web Injects"? Are cybercriminals striving to 
produce ZeuS/Carberp like underground market "products", 
or are they attempting to disrupt the entire cybercrime 
ecosystem by offering a standardizing E-banking 

Web site reconnaissance services, that would work on 
virtually any publicly obtainable/leaked source code based 

crimeware/malware release? 
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That's exactly what the cybercriminal whose underground 
market proposition I'm about to profile, is doing - 

offering crimeware-independent standardized on demand 
"Web Injects", in particular OTP (One-Time-Password), 

ATS (Automatic Transfer Service), TAN (Transaction 
Authentication Number) bypassing/hijacking/blocking 
system, or 

in those cases where the customer demands - offer "finished 
crimeware products"? 

Sample automatically translated underground market 
proposition: 

/ am writing to inject custom-made as weii as offer finished 
products. 

The main provisions of the Service: 



1 . 


Tools manufactures both private and public products. 

1.1 Under the private means software products 
manufactured "in one hand" with the full right to transfer 
and resale. 

The client of the right to require the source code private 
product. 

Support for the private software somewhere executed in 
priority order. 

1.2 if the "privacy" of the product is not stipulated in 
advance that product becomes the default public service and 
the right to sell it to other customers. 

1.3 Prices for private products involve premium of 50 % to 
the price of the underlying / social product. 

1.4 Distribution / Transmission of any parts of the code or of 
the products purchased on the basis of the public, will result 
in a denial of service on all products purchased from third- 
party service, followed by filing a complaint in section Black 
List. 

1.5 Public products are delivered on an "as is," and do not 
include its value of any additions or changes. 

1.5.1 Any changes to the products are made public as an 
additional order and measured in accordance with the work¬ 
load. 
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1.6 Service does not run on the lease terms. 



Only a piecework basis! 


1.7 Service does not give advice about cross-translation, 
relevance or affine those topics. 

For providing information about banks / cantor Service is not 
responsible. 

2 . 

Service is responsible for the performance of the paid code 
for the negotiated period. 

2.1 if the period of service is not verbalized it enters into 
force standard warranty period is 10 days from the date of 
issue of working product. 

3. 

Warranties: 

3.1 The Service shall recover from the purchased products 
for a specified warranty period, for that is technically 
possible. 

Free of charge - during the warranty period, and the charge 
on the expiration of the warranty period. 

Prices for the repair of products range from $ 10 up to the 
full cost of the product and depend directly on the volume of 
the work. 

3.2. 

Service is not responsible for the failure of performance 
caused by the code: 



3.2.1 The introduction of third-party software which 
prevents fuii operation. 

(Rapport) 

3.2.2 The introduction of sms / emaii notifications that 
can not be disabied by means of injection. 

3.2.3 The introduction of this activity exhibiting 
maiicious code (without the possibiiity of eiimination) 

3.2.4 The other changes in the source code of banks / sites 
prevent recovery of the product. 



: Aooporo BpeKeiac cyroit 

eeroAMii m noiuBry rak p*6ot«ct cMcreMA odxoAa torch* 

< Aiui HOtMaA* OCHOBIMC noAOxemcH m ROMaiUK 
Block • saflAORJcpoMTa xoAAcpa 
OTP - sanpocMTB torch 

Halt - c6pocMTk CTaryc AitR Toro mtd6m npx ooaropHOK bxoac hkxcrt ctoptoma saNosa 

Pclaa - nponycncrv • aRRayHT 

aXOAIM ■ *R 

a y»eAir«y na a raiiMepM ))) 

AJM HaMana a noRaecy cNryauMo: ropa* sac iter y ROMna m ROMaHAM hc nocTyoaor. » otom cayMac xoaacpm dyayr CBO^kwino 
RpOXOAHTV » CAOM aRRCyRTM (CCAM TOAkRO OHM ItC Sa6aORNpO»arM paHCC) — T.C. BXOA B BRRaynT no TOMNayry 

Hy RBR BMANK BIU«MKACA TOAHCp N HNXCRT XACT ROMaHAM. CCAM CC HC nOCTynHT TO Cpa/dCTaCT TBlbcayT N XOAAepa RyCTITT B aRRayiCT 

:■< TOR Ran xoaatp ttoanil n on pancc nt padJioRKpoMiM 

*6aORMpOBRa RCTOTM KACT RO JtOPHHy. 

a ipa a Ta46(«pM yBCAMMMa ) 

RCTOTM B 9TOT HOH C HT tROPAa XCAACp BXOAMT B OR) BOM B XCa66ep npHlUCT C006tHHC 

My H cooTMTcrayuBaa sanMca noaaMTca b jiopc <cmotpkm^ 

Ran BHAMf » aopc oroOpaoccMO «rro xoaaep aota b aRRayirr no raiiMayTy. ny rbr rbr anayirr Bkooa&iMM mi noayMMJiM o«M6Ry o 
NCBepHOM aorioce mam napoae 

npN nocacAyniieii nontmt so^ctm xoaacp OyicT opooycRaTBca • aRRaynr. tor rbr ecAnac nanpoTMB nero ctomt ROHaitBa 
"nycTMTB B aR" (Pass) 

RpOMpm 

. H RaR BMANN 6es TaimepoB m cpasy *nycTKno b or** (onarb xe nc nycTNao noroMy mto aoPMH n nac necyaecTeymoi) 

My M B AOPC AOJBTMO 6mAO OTpaiHTB >TM ACACTBHa 

Tcnepa saOaoRxpycM btot aRRayirr. CRacrcM tor aaa topo »rroOM apoBcpurb #9ilR )| 

2*^ npoBcpioi MTO dyACT CCAM xoAAcp DOCBiTacTca boiItm b jadaoRNpoBaMMA aRRayirr 
OTO AC MOZMO BKnOAHMTB BO BpCMA OCKMAaiUCA ROHailRM 

2 9 e6pocie< aRRaywr na sanpoc eoe pas 

TO CCTB B AaKIWN HOMCHT MICECRT OanuiaCT or nac RBRMX AM^O ROMiaHA 

3 1 cRasKCM ran: mm ccAmbc noayMMAM b zadflep aopmh n napozB inarr b aRRaynr m Oaaanc btopo aRRayirra naM ne noKpaBMAca 
3 2 AaAiBi ROManay na ftaoRMpoBRy ana 


3.3 The Service does not guarantee a return to work ordered 
acquired products, but oniy can guarantee the perfor¬ 


mance of the software according to the negotiated terms of 
reference. 




4. 


Approximate prices for soft (pubiic foundation) 
grabber baiance of $ 10 (1 unit) 
popup $ 70 

Fake fuii page from $150 

repieyser from $ 450 (3 units each inciude an additionai $ 50 
.. 100 ) 

grabbers data from 150 $ 

Automated OTP/ATS/TAN from $ 2500 

Sample explanation of the service in action, courtesy 
of the cybercriminal behind it: 
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.-4 Rax BNnNM 6«s TaMMepoB H cpasy 'nycrauio b ax” (ooxtb xe ite oycncJM noTotcy mto Borxn m nac BeqryiBecT Byi—i >t) 

Ry N 8 Aore Ao;tn»o Gmao OTpasirrB 9 tn 

renepk sadJiORMpyeM >tot axxayirr. cxaseM rax aaa topo «rfO0M apoBepirra ^Ax ) > 
w opoBepMH HTO GyABT BCAN xoAAep noiarraeTcx boAtn 8 saGAORNpoBaiwN axxayirr 
>TO X* MOXHO aMnOAMNTk 80 8p«Ma OXHABNMA ROMaKAM 
^ cGpocKM axxayxT xa sanpoc eioii paa 

TO acra 8 AaxMMx mombict nioebrt oxxabbt or Mae xaxxx am6o xormaxA 

cr.toecH rax: mi cbAmbc roa/hxax 8 xa6G«p jbopmx x napoxa paiUK 8 axxayxr m Gaxaxc 9Toro axxayirra rum we noxpaaxjicx. 

««TO ABAarb? AasaxTB aaOxoxxpyex bpo 
< a ROTOM Toae* canoB TOAbxo nponycTWi bpo 8 axxayifT (OyABM ao«pbb) 

>H xax BXANM Got ycnewto noxyHxx xoxaxoy x ^Ax 0 mx oToGpaxBx. cooTBeTCTBBXxo see 9 to Gmao oroGpaxexo b aopb 

npK nOCABAyURBN 8X0AB OtlATb XB GyABT Roxapax ^Ax Gaorxpobrx 
cGpOCMI 

TBRBpb AaAioi xoKaRoy "RponycTXTb 8 ax* x npxMBpy mi pboax or ham rb ftORpaaxACA tty x mtoG rb sacTasAATb xoAnepa nexxoBar 
Ml pexKAM BPO npoRycTirrb 8 ax 

xy X CBMOB "axycnoB* lanpoe ToxBxa 

xax BXBXN TOXBN fxpxBieA (TAX XB X B xaGdop) xy X Got xrbt xoMaxAy. bcax onxTb xb kb Aara ROMaiay to sanpoc Toxena 
PBCTapraMBTCA X TORCH onATb Gvabt saopooBH. 

XB OyABM xAATb TBibiayTa sanpocMi toxbr Btaepas. x npioiBpy Got mam aaa xbobpxkA torbr x Gaxx na rbpo pypxyACA 
•i AXTA Gar ) 

-t' npoBBpwi BBiB pas <c8AsaRMiM c AoxaAbioiMM TaxxayTaMx Ra snpoc xoKanAM, 8 Gob80m pbxmnb orh Gyayr Goabc ccxyRAxi 
■i" xy 80T xax bxahm noaropioiA sanpoc TOXBiia. x rax moxmo aoaGxtb xoAAcpa noxa or rb aoct xyxioiA toxbr noxa ox rb noibiBT 
■{ MTO KAAO BBOAXra TOXBR a RB 1234S6 
' 88BABM TOXBR BttX paS 

xy X K npKKBpy na 9Tot paa Gwa bsbabx bbpkkA toxbr. xy x aajxxB xas ynex. mto ACAara? Mynaaa ctoxt aaGjsoxxpoBaTb xoJviBpy 
BXOA mtoG satAKB GAaPonoxyMNO aosba 

xy 80T K acB? xcTaTX MOXRO Gmao Aara x ApyrxB ROMaxAy. x rrpxMBpy rb abbt Ganx saAxra xy x 8CB t/t. mto ABxaTa? Aa npony 
xoAABpa B ax nycra lycyBTCA. xy rax onAra sa sanpocirra toxbr no roboA. 


c aanx Gma 


|8CBPO XOpOOBPO X ycnBXOB 8 paOOT^ 


I-IJI X|| 


• HoM-FMNabonalSM^L'Ra j + , 

^ # fTt>.C 0 . 2 « ^ 

- MM «M>d ny« ^ ctadMer B lintlimi B AMCtar/ w iMt <HdMl) ^ )rriV 9 a 




9 f 


> hew r in. 


' C« ^ N(tcry tooNirto 

Ipok t5* 



Li. 


4 * toulwt 


c 


L ■[ 


<5 Hmk ^vd ^ ch«cMcr B B ^ I* «H>4o«d ^ nyptoocy 


.:;fbn^OTPBypas5 


Thu. 29 Nev 2012 14:45:30 (UTC) Ooi :ns C out 



Accounts 

Reports 



RAfrush 


. 

Li 





ti. 




> — 




Sample screenshots of the service in action: 
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// . 

UBt » OSCD VX 9 ZABLES 

//$BBBBBBBBBBBBBBBBgBBBBBBBBBBBBBBgMBBBBB§BnBBBBBBM$BBBBBB$g$BBBBB0BBBBB 

//- USER VAPZASLES — 

vmr hoM^link 

VMM 9ftt«_iinJc • bc«M_llnk4 - ' >**; 

vmr pkey • 

vBt >MK_io9in_w«tit_ciBek_Meond« - JO; 
vmr Mix^otp^vAit^ciBCl^secoDCls • 6oh 
vmt looi&_vftlt_c«d_eoaMnd_tiatout • 1; 
otp_vait_cad_cOBiBazkd_tiiBeout • 1; 

//BM»BBtBBBBBBBBBBItgBBBBBBBB1$BBBBBggBBBBBBBBBBBBBBBBBBBBBBBBBBa$BII0BBBBB 
tl00 DETECT BROVSEP 

//0000BBB00000BBB00000BB$00000BBBB0000BBB0000BBBB00000BB00000BB000000BBB 

L /u«>cti« 4 i <l«ttecBco«Ptr( > ( 

L 1/4 Mvigator.userA^eot.toLoverCaset).indexOf( nK ) >« 0>( 
return •IE'"; 

|a2*e //(navigator.userJigent.coLovccCaseO . iDdexOf 4 ** ':e ") >« OH 

/atwin "XE*?-; 

)a2«e //(navigator. usarJigcnc .toLovacCasa(). i&daxO/(' >i< ) >« 0)< 

/atu/n ’ 

}e2ae //(navigator. user Agent .toLoverCaac( >. indexOf( " ii< •”> >- OH 
la/vm 

)a2«a 2/(navigator .uaerAgent .toLoiferCa«a(). indaxOf ( . ) >- OH 

/atw/n “ff*; 
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ff 
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FT 
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Ff 

127.0.0.1 
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ff 

127X0.1 
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rr 

127X0-1 

Ot«ftl21 
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Pftift tdt to oocovrft 

2012-11-29 14:S2:0l 

ff 

127X0.1 

q«(«12) 

p4»s_to_ftccot>nt lootniog 

Holdftr tnft$ to logm w«th loom- owftl2S. 
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comm«r>d: Pass hot to occount 
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rr 
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MolOftr logoftd m, rfttum command 

Pots bot to ftcoount 

2012 11-29 14:SO;OS 

FF 

127X0.1 

qOTftl23 

PMt.to.aocouM iooining.Urnftdout 

Logir wftit comm«Ad OrrkftouL rotixn 
oomm«rvd; Pftss bot to occourtt 

2012-11-29 14:4$:0$ 

FF 

127X0.1 

4iv«12) 

>fft4_cmd looming 

MolOftr tnfts to lo^n «r4h logmr qivftl23. 
•rvd p«SSword: QWftQwft, r«tum 
commond; Wftrt for cemmoods 


SIB 
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Sample screenshot of the ATSEngine in action 
targeting HSBC: 
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.::hsbc@ATSEngine 


Accounts Drops Reports 

Refresh Delete Account Delete All Accounts 


Sat. 24 Nov 2012 10;S«:32 (UTC) 

Transfers 


Options Sign out 


1 


Next Hide Bottom Pand 


Login Time 

Login (ID) 

Secunty Answer 

IP Address 

ATS State 

Grabbed 

Transfers 

Logs 

2012-1124 10:51:25 


chanwirthi 

82.5.41 


UndeAned 


0 

11 

2012-11-24 10:46:32 


ebenezer 

86.156.: 


Undefined 

3 

1 

41 

2012-11-24 10:27:17 


flat punlo 

2.% 32 


''ndeflned 

1 

0 

33 

2012-11-24 10:17:54 


Saniorim 

86.2.1F 


Undenned 

4 

0 

72 

2012-11-24 09:37:38 


ferran 

92.23“' ■ 


Undenned 

4 

0 

43 

2012-11-24 09:05:48 


193,93 ; 


Logging In 

0 

0 

2 

2012-11-24 07:52:26 


Icostowiec 

91.192. 


UndeHned 

3 

0 

81 

7017-11-74 07-fr7-7‘; 



7 l''^ 


IlnrtrOnefl 


n 

11 


Grabbed Data Transfers 

Refresh Add Transfer i 


Reports 


Transfer Dale l ogin HD) Holder Accouni Nr. Drop Name 
22.li.2012 


Drop Accouni Nr Drop Sort Code Transfer Memo <RegF.xp) Amount 

^erv^r repair 2419.03 


Some of the most recent updates to the system 
include: 

01 / 11/2012 

- Sets 

fullinfo 

grabbers 

for 

AU ( 37 banks 

)/ CA (30 banks 

) / US (40 banks). Data on 









Holder to 


SSN/ MMN/ DOB / DL / DL exp / VBV... 
01 / 11/2012 - 
Grabbers 

CC + VBV (paypal, ebay, amazon, facebook) 

01 / 11/2012 
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- The system 
change 
number and 
Grading 
necessary 
disk imaging 

(input issues, balance sheets) for the Gulf 
santander.co.uk (instant on 
UK 
to 

lOkGBP) 


02 / 11/2012 



Grabber 


additional data for 
paypal (DE/UK/AU/ 
with 

the possibility 
to add 

other countries ). Collects : Name 
Holder, Balance, Status ( verif/ 
neverif), Account Type, Time of the last 
entry 

, as well as 
rooms full 
of affection 
card and / 
or 

bank 
accounts 
for the 
AU 


and the 



UK, 

and questions 
316 

with answers 

for 

DE 

13 / 11/2012 

Grabber 

TANS 

to 

ipko.pi 

23 / 11/2012 

Avtozaiiv 

on 

hsbc.co. uk 
23 / 11/2012 


Grabber 



cc + cvv + exp + pin. 
works 

on all pages 
on which the 
algorithm 
finds 
on 

LUHNl 0 

card number and 
exp 

field and 
collects 
requests 
PIN 

11/29/2012 
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intercept system 
/ 

bypass 



token 


to 

fnb.co.za 

Two-factor authentication - indeed, an additional layer of 
security for your E-banking account, however, everything 

changes on a crimeware-infected host, and sadly, it changes 
in favor of the cybercriminal that compromised it. 

This post has been reproduced from [JJDancho 
Danchev's blog. Follow him [8]on Twitter. 

1 . http://www.zdnet.com/blo a /securitv/modern-banker- 
malware-undermines-twQ-factQr-authentication/4402 

2. http://www.zdnet.com/blo a /securitv/no-securitv-software- 
no-e-bankin a -fraud-claims-for-vou/1158 

3. httDs://www. a oo a le.com/#outDut=search&sclient= Dsv- 
ab&a=site:ddanchev.blo as Dot.com-i-zeus 

4. httDs://blo a s.rsa.com/the-carberD-code-leak/ 

5. httD://blo a .webroot.com/2013/03/14/new-zeus-source- 
code-based-rootkit-available-for-Durchase-on-the-under 

g round-market/ 

6. httD://blo a .webroot.com/2013/06/27/self-Dro Daa atin a- 
zeus-based-source-codebinaries-offered-for-sale/ 

7. httD://ddanchev.blo as DOt.com/ 

8. httD://twitter.com/danchodanchev 
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.::FNB(3)OTPBypass 


Thu. 29 Nov 2012 15:09:47 (UTC) Options SiQn out 


Accounts 

Reports 






Delete AK Reports 

Date Filler r 

Ai ome 

From: From First To; 

To Last ^ Apply / Refresh i 


Report Oete/Tirne 

Orowier 

IP eddresf 

Lo^tn (ID) 

CoiTtfnend 

State 

Message ^ 

2012-11-29 15:03:09 

fF 

127.0.0.1 

qwel23 

blocked 

bl«ck_fake_shov*n Block fake shoM-r., return cor'-iand: 
Login blocked 


2012-11-29 15:02:30 

FF 

127.0.0.1 

qMtl23 


otp_«ubrr, ted 

OTP token submited, return 
command: Wait fo** commands 


2012-11-29 15:02:30 

FF 

127.0.0.1 

q»«el23 

otp 

otp_5ub'*'<ted 

OTP token submited: 123456, return ^ 
command: Request OTP 


2012-11-29 15.01 ..p^g(g)Qjpgyp 355 Thu, 29 Nov 2012 15:10:43 (UTC) Options Sign out 


2012-11-29 15:01 
2012-11-29 15:01 
2012-11-29 15:00 
2012-11-29 15:00 


Accounts 

Roports 




Refresh Delete 

Delete All Commands; Block 

OTP Par" I'l «it 


1 

L.ltt Login Time 

Login (10) F.tiwors OTR 

Current Cemmamj 

Last State 

IF flddresr Log* 

is:03:09 

qwel33 qwagwe 133456 

Login btoded 

Block fake shown 

i:7.0.0.l 23 


A Peek Inside a Managed OTP/ATS/TAN Token 
Bypassing/Hijacking/Blocking System as a (Licensed) 
Ser¬ 
vice (2013-07-19 22:43) 

One of the most common questions that I get during Q &A 
sessions after a PPT, or in a face-to-face conversation is - 

" Hello, my name is [name], / represent [random financial 
institution]. Are we being targeted based on your situational 
awareness?" 

For years, virtually every company, every brand, every 
financial institution has been targeted, largely thanks 

to the rise of Crimeware-as-a-Service underground market 
propositions offering standardized and cybercrime- 

release friendly 'Web Injects', the result of active pre-sale 
reconnaissance performed on the E-banking service of 



the targeted institution. The business model is fairly simple - 
next to 'pushing' a pre-defined set of 'Web Injects' for 

some of the largest and well known financial institutions in 
the World, 'Web Injects' for virtually any SSL/Two-Factor 

Authentication enabled Web site, can be requested and 
produced on demand, usually for a static amount of money. 

" But we issue two-factor authentication tokens to our 
customers. Isn't this making any change ?" 

Sophisticated cybercriminals possessing 'innovative' 
underground market disrupting forces, have been [l]un- 

dermining two-factor authentication for years. An 

uncomfortable truth that your financial institution of choice 

wouldn't necessarily want you to know about, as it would 
most commonly [2]risk-forward the responsibiiity to 
you, 

under a contractual agreement, or actually possess an 
industry-accepted certification for the operation of such 
online 

services, thanks to the introduction of two-factor 
authentication, and the internal security measures 
preventing a 

direct compromise of the financial institution's infrastructure. 

With source code for the [3]ZeuS crimeware, as well as 
[4]Carberp, publicly available for virtually anyone to 
download, it [5]shouldn't be surprising that 

[6]cybercriminals have started to release more 
crimeware, using these prominent releases, in an attempt to 



quickly capitalize on the source code that's been 
contributing to a huge 

percentage of the profitability of the cybercrime ecosystem 
in general. 

What are some of the latest 'innovations" in the world of 
Cybercrime-as-a-Service, in particular the market 

segment for "Web Injects"? Are cybercriminals striving to 
produce ZeuS/Carberp like underground market "products", 
or are they attempting to disrupt the entire cybercrime 
ecosystem by offering a standardizing E-banking 

Web site reconnaissance services, that would work on 
virtually any publicly obtainable/leaked source code based 

crimeware/malware release? 
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That's exactly what the cybercriminal whose underground 
market proposition I'm about to profile, is doing - 

offering crimeware-independent standardized on demand 
"Web Injects", in particular OTP (One-Time-Password), 

ATS (Automatic Transfer Service), TAN (Transaction 
Authentication Number) bypassing/hijacking/blocking 
system, or 

in those cases where the customer demands - offer "finished 
crimeware products"? 

Sample automatically translated underground market 
proposition: 



/ am writing to inject custom-made as weii as offer finished 
products. 

The main provisions of the Service: 

1 . 

Toois manufactures both private and pubiic products. 

1.1 Under the private means software products 
manufactured "in one hand" with the fuii right to transfer 
and resaie. 

The ciient of the right to require the source code private 
product. 

Support for the private software somewhere executed in 
priority order. 

1.2 if the "privacy" of the product is not stipuiated in 
advance that product becomes the defauit pubiic service and 
the right to seii it to other customers. 

1.3 Prices for private products invoive premium of 50 % to 
the price of the underiying / sociai product. 

1.4 Distribution / Transmission of any parts of the code or of 
the products purchased on the basis of the pubiic, wiii resuit 
in a deniai of service on aii products purchased from third- 
party service, foiiowed by fiiing a compiaint in section Biack 
List. 

1.5 Pubiic products are deiivered on an "as is," and do not 
inciude its vaiue of any additions or changes. 

1.5.1 Any changes to the products are made pubiic as an 
additionai order and measured in accordance with the work- 



load. 
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1.6 Service does not run on the lease terms. 

Only a piecework basis! 

1.7 Service does not give advice about cross-translation, 
relevance or affine those topics. 

For providing information about banks / cantor Service is not 
responsible. 

2 . 

Service is responsible for the performance of the paid code 
for the negotiated period. 

2.1 if the period of service is not verbalized it enters into 
force standard warranty period is 10 days from the date of 
issue of working product. 

3. 

Warranties: 

3.1 The Service shall recover from the purchased products 
for a specified warranty period, for that is technically 
possible. 

Free of charge - during the warranty period, and the charge 
on the expiration of the warranty period. 

Prices for the repair of products range from $ 10 up to the 
full cost of the product and depend directly on the volume of 
the work. 



3.2. 


Service is not responsibie for the faiiure of performance 
caused by the code: 

3.2.1 The introduction of third-party software which 
prevents fuii operation. 

(Rapport) 

3.2.2 The introduction of sms / emaii notifications that 
can not be disabied by means of injection. 

3.2.3 The introduction of this activity exhibiting 
maiicious code (without the possibiiity of eiimination) 

3.2.4 The other changes in the source code of banks / sites 
prevent recovery of the product. 



Aooporo BpcMeKM cyroK 

e«roaM« a noKascy kak paOotact cmct^ma o6xoaa tokcma 
< MAM HatMaaa ocnoBiMe doaoqcckna h komaiuiic 
•t Block • saOJioiucpoMrA xonaejM 
OTP - aanpocMTA torch 

Volt - cOpOCMTk CTOTyc MAM Toro HToOm ItpN tIOOTOpMOK SXOfle MKXeRT CTOpTOBOJl SOMOBA 

Po«« > nponycncr^ • ARRAyirr 

BXOaiM B AX 

A yBeair«y na m rawtepM ))) 

MAM MAMAJIA M nOKAOCy CNTXAtOBQ: ROPAA BAC NAT y ROMHA M ROMAMAM MC nOCTyiUMDT. B 9TON CA/HAe XOAACPM tyWYT CBO6OAI*0 
RPOXOARTA B CBOM ARRAyKTW («CAM TOABRO OKM IfC SaOAORJCpOBam PAItCe) >> T.C. BXOA B ARRAyKT IM TAIMAyTV 

try RAR BMAMK BIUBCMRACA TAkHCp N MKAART XSCT ROMAItAM. CCAM AC MA nOCiynHT TO CpAACTAAT TAlbCAyT N XOABApA HyCTirr B ARRAyiCT 
; < TAR RAR XOAAtp BOBMlI M OH pAMC BA BAOAORKPOBAM 
*6 jiormpobra rctatm kaat no JtoPNHy. 

A tpa A TA^epM XBCAMMMA ) 

RCTATM B 9TOT HO— A WT tROPAA XOAttCp BXOAMT B AR) BAM B XA66 ap npKIOieT COOOSAHNC 
Hy M COOTSaTCTByiOAAA BAnMCB nOABMTCA B JIOPA <CMOTp}fN^ 

RAR BHAMM B AOPC OTOOpAOCAMO MTO XOAAAp BOt A B ARRAyMT DO TAAtAyry. tiy RAR RAR ARAyVT BMMABAAH Ml nOliyMMAN 0«M6Ry 0 
NABApMOM AOrxnA MAM OApOAa 

npN nocAeAynMN nonmca bojitn xoascp OyacT aponycRATvcA b ARRayttr. tar rar ecNsac nanporMB impo ctomt ronakba 

"nyCTMTB B AR** (PA3S) 

RpOBepiM 

. -h RAR BMAMM 6eS TA^CpOB N CpASy *nyCTNAO B AR* (ORATB MM HA nyCTMAO ROTOMy MTO AOPMH M OAC NACyaCCTBymai) 

My M B AOPA AOJBCMO 0MAO OTpABHTB 9TW AAACTBMA 

TAnepa saOAORXpyeM btot ARRayirr. CRscreM tar aaa topo «rroOw npoBcpKTb ^iIr )| 
npoBepMM MTO Oyaer acam xonaap DonMTaeTCA boiItm b BAdBORMpoBAMMA AJULayNT 
9TO xe NOXlfO BMROARMTB 80 Bp«NA OCKMAAMXA ROHAHRM 
e6pocioi ARRayitr na SAnpoc eoie pA9 

TO tCTB B AAMIWN HO HA WT MIOKRT OOnUIAAT OT RAC RARMX AM 60 ROMiaiU 
M CRAcxeM tar: mm caiImac nony^ocAM b xaOflep aopmh m napoAb samam b ARKayirr m Oaaamc btopo ARRayirrA ram ma rokpabmaca 
AAVIIBI ROMARay MA ftAORMpOBRy ARA 



3.3 The Service does not guarantee a return to work ordered 
acquired products, but oniy can guarantee the perfor¬ 
mance of the software according to the negotiated terms of 
reference. 

4. 

Approximate prices for soft (pubiic foundation) 
grabber baiance of $ 10 (1 unit) 
popup $ 70 

Fake fuii page from $150 

repieyser from $ 450 (3 units each inciude an additionai $ 50 
.. 100 ) 

grabbers data from 150 $ 

Automated OTP/ATS/TAN from $ 2500 

Sample explanation of the service in action, courtesy 
of the cybercriminal behind it: 
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RSK BHBNK 6 es TajocepoB H cp&sy ‘*ixxcTMJto B BK** (oturrfc xe ice oycTXBO dotom/ t<TO BorxN m obc MecyaecTBynDtiil 
Ry X 8 AOPC AOnciM 6 tt 80 OTpaSlTTB 9 TN AeACTSMA 

TenepB sedJiORMpycM btot BKxayirr. cicaxeM tbk jijui topo «rroOM nposepMTB )) 

oposepioc MTO 6yaeT ecjuc xonaep noiBrr«eTCN bohtn b sbAbornpobbicmn aRnayifr 
8TQ xe MOXXO MmOBHlCTa 80 Bpexa OXHBaRMX ROMaiUM 
cdpociei ajuiayarr tea sairpoc eme pas 

TO acTB 8 Aanmoc NOMetcr MioceKT oxxaaer or sac kbrmx jim 6 o Ko«e«ana 

ep.«eceM Tan: mm celiac noxyMXJVM 8 xai6Cap bopmm n napoxa saauvM 8 aicRaywr m 6aJtanc stopo aicRayirra naK we noirpaaauicx. 

MTO AexaTb? aasaiHT sadxoKKpyeM epo 

a noTOM to xe caMOe tojuro nponycTim ero 8 aPKayttr (Oy&eM Ao 6 pee) 

Kax BNAMM 6 <it yci Kxw o noxyMNJi r.oMaHoy m 0 mx OTO^paoreii. coor ae tctb*who ace sto flino orpOpaxeiio b bopc 

opM nocxajiyiaaaM axojia onxra xa Oyaar noxaiaM ^Ar OxaRNpoBRM 

CdpOCMM 

renepa Aaaiei ROKansy **gpcnycT»Ta 8 br* r npiocepy mm saoRM or rbm ae RORpaaicAca Ry m *rro6 ae sacraBAara xoxsepa neaxoBar 
MM pasMAM apo nponycTMTa 8 ax 

ay M ctMoa "aRycnoa” sanpoe TORaaa 

RaR BMAMM TOReM gpiaaA (rax xe m b xa 66 ap) ay a 6 ot xsar xoNaMsy. ecjDC oturra xe ice Aara ROMaKsy to sanpoc Toxena 
pecTapraMaTca m TORaa onara dyaer saapotttea. 

aa OyATM xnaTa Taibcayra lanpocioc Toxaa aistpas. r npio^apy Oor aan aba aaaapaMA Toxaa m Oaax aa aapo pypayjiCA 
AMTx 6ar ) 

Rpoeepiec aiae pas <CBA9aaMMM c AORaxaRMHic TaNKayraMR aa snpoc xoMaicAM, a doeaoM pexiote oaa tymyr Ooxee caRytcAMi 
My 80T xax bmamm noaropiocA aanpoc Toxeiia. a rax moxsco AOAtfMra xoAAapa noxa oa Me abct tcyxicMA torcm noxa om mc noltoieT 
MTO KBAO BBOAMTa TOXeM B Me 12 ) 4 S 6 
aaaAaM Toxaa aiM pas 

My K R npiocepy ica aTOT pas Owx sseAeM bcpmmA Toxen. My m sbamb mbb yneA. mto Aenara? xyMas) ctomt sadaoRicpoBaTa xoAAepy 
BXOA MT 06 SflUIMB dABronOM/MSO AOSCA 

My 80 T M aea? rctbtm moxmo Omao aara m ApypMa ROMaiay. x npiocepy na naar daax saAicra icy n aca t/t. mto AanaTa? ab npony 
xoAsepa B ax nycra rycyercA. ny kam onara sa sanpocirra Toxea no moboA. 

c saMM 6 ma ^^^^gacaro xopocnapo n ycnaxoB b pa 6 oT^ 




^ HMt VMtd snv > <><*(Mer ■ HrvKlw/ ■ letOml «i K*v ^ anrpracy 




^ .:An No/iU Faefax 


(ft m trt Hltcry t oc Nu rl j Jftft 

1 + 


t how can. 



dtubii 


1 


|-lg| x| 


• Hunt - Fue NaoorW ' Fie 

1 + . 



^ # Fr8.co.2a f 







^ kKtfnst e 

« MMVMtd - .X' i B (‘ntifml B tt auMIr <tcdMd B tnvpwy 

.::fbnOOTPBypass Thu. 29 nov 2012 14 : 4 S :30 (urc) ODOons :u( 

Accounts Reports 

P*?!!"Sh . • Con: ir-j- ■. 



Sample screenshots of the service in action 
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Rv«r OTPftTpasa • 4/unct±oB<>( 

//. 

//#« » OSCR VX 9 XABLES 

//— VSEB VAPXA8LCS — 
vmz hoM^linlc • 

vmz 9ftt«_iinJc • bo«i«_llnk^*/v-.= . 

vmr pkey • 

v«/ >MK_iooin_w«it_ciBCk_*«eond« - -30; 
v*r MLX^otp^vaic^cMd^secoDds • 6oh 
vmr logio^»>it^cwd^cowa>pd^tlatout • l; 
vmr otp_«ait_cad_cOBiBazbd_tiiBeout • 1; 

//00»n9MtUM§l$MnuMUM0»1l9n»0M0tH$M»tM§0»»9 

//99 '■> DETECT BPOVSER 

//9999999999999999999999999999999999999 


toncticn <l«ttecBco«PtcO ( 

lEfMvigator.userA^eDt.toLowerCaseO • 
tetum "lE^ "; 

)a2«e A/{ navigator.userAgent.toLovacCaseC).indexOf(~ 
/atwnt •lET-; 

)«2se 1/C navigator.userAgent.toLoverCascC).indexO/C 
imtum ’ 

}a2ee i/C navigator.userAgent.toLoverCascC).indexOfC 
ratvm 

)a2sa l/( navigator.userAgent.toLoeecCaseC).indexOf< 

lattf/n ; 

)a2«a( 


) >• 0>C 

- ") >- OM 

,u } >- 0)C 
tii •") >- OH 
) >- OH 
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CA HjClory 2pat> t|Bk) 

C HlliM-fitlNmwnlSwfc-Ft* I + 
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MMt McMd iwy^ ^ H ^rp*d«/ B tiut*y C3 ^ vryproory 
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Cj tW»Oll''t<-, rrf«> p^e 

» c 1 * r * ^ • 

1 A Hoft WfCad Cl ^ Chad»t 0 f B Atvadar/ B ISUCfty uJ aiadoad ^ inyproxy 
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IT 
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MiOUIFNe 


.::fbnOiOTPBypass 


Ttiu. 29 Nov 2012 14:50:14 (UTC) [ Options 1| Sign o ut I 


Accounts 
DolotoAII 


R^orts 

D«U FUt»r C Aitimo From: From First JTo: To L4St ADOtv /Rafrash |l| 


iPaf/Tim# erow»»f IP aOOf«» Loo»ft (ID) Command 


Stata 


Hassapa 


20l2lt» 14:50:09 

ff 

127.0.0.1 

qwel2S 

20i2-ll-29 14:50:05 

FT 

127J).0.1 

Owel23 

201211-20 14:40:05 

Ff 

127.0.0.1 

Owel23 


HoMar lopged m, return command: Faas 
bet to account 


logming 


command: Patf bot to account 
Holder tnas to lopm wdh (opei: <iwal 2 ), 
and password: owaqwe. return 
command: Wat for commands 
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Doloto AM R«(mts 

DotoFiHer r 
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|A«POrt 0#*^^vnft 

Orowftr 

IP 

-■jift <IO) 

C ifi-j >t*t* 


2012 11-29 14:S3:42 

ff 

127X0.1 

Ow«l2) 

blO<l(«d b*00lc_F«W4_*HoH' 

rfttum commoniS: 


aa 

ilAliBiH 



to ’o[^ loo^< qOTftl23. 

•»d p«$i««ord Q^Qwft, rfttum 
comm«r>d Loovt tlo^ed 

2012 n-29 34:$2;01 

rr 

127X0-1 

Ot«ftl21 

Pftff.to.ftCOOvM (O9in«0 

Holdvr logoftd m, rfttum e«mm«r»d 

Pftift tdt to oocovrft 

2012-11-29 14:S2:0l 

ff 

127X0.1 

q«(«12) 

p4»s_to_ftccot>nt lootniog 

Holdftr tnft$ to logm w«th loom- owftl2S. 
•rid p«fsword qwoqwft. r«tum 
comm«r>d: Pass hot to occount 

2C1211-29 14;SO:OS 

rr 

127X.0.1 

qf«ftl23 

pMS.to.ftOCOunt logm*^ 

MolOftr logoftd m, rfttum command 

Pots bot to ftcoount 

2012 11-29 14:SO;OS 

FF 

127X0.1 

qOTftl23 

PMt.to.aocouM iooining.Urnftdout 

Logir wftit comm«Ad OrrkftouL rotixn 
oomm«rvd; Pftss bot to occourtt 

2012-11-29 14:4$:0$ 

FF 

127X0.1 

4iv«12) 

>fft4_cmd looming 

MolOftr tnfts to lo^n «r4h logmr qivftl23. 
•rvd p«SSword: QWftQwft, r«tum 
commond; Wftrt for cemmoods 


SIB 
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Sample screenshot of the ATSEngine in action 
targeting HSBC: 
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.::hsbc@ATSEngine 


Accounts Drops Reports 

Refresh Delete Account Delete All Accounts 


Sat. 24 Nov 2012 10;S«:32 (UTC) 

Transfers 


Options Sign out 


1 


Next Hide Bottom Pand 


Login Time 

Login (ID) 

Secunty Answer 

IP Address 

ATS State 

Grabbed 

Transfers 

Logs 

2012-1124 10:51:25 


chanwirthi 

82.5.41 


UndeAned 


0 

11 

2012-11-24 10:46:32 


ebenezer 

86.156.: 


Undefined 

3 

1 

41 

2012-11-24 10:27:17 


flat punlo 

2.% 32 


''ndeflned 

1 

0 

33 

2012-11-24 10:17:54 


Saniorim 

86.2.1F 


Undenned 

4 

0 

72 

2012-11-24 09:37:38 


ferran 

92.23“' ■ 


Undenned 

4 

0 

43 

2012-11-24 09:05:48 


193,93 ; 


Logging In 

0 

0 

2 

2012-11-24 07:52:26 


Icostowiec 

91.192. 


UndeHned 

3 

0 

81 

7017-11-74 07-fr7-7‘; 



7 l''^ 


IlnrtrOnefl 


n 

11 


Grabbed Data Transfers 

Refresh Add Transfer i 


Reports 


Transfer Dale l ogin HD) Holder Accouni Nr. Drop Name 
22.li.2012 


Drop Accouni Nr Drop Sort Code Transfer Memo <RegF.xp) Amount 

^erv^r repair 2419.03 


Some of the most recent updates to the system 
include: 

01 / 11/2012 

- Sets 

fullinfo 

grabbers 

for 

AU ( 37 banks 

)/ CA (30 banks 

) / US (40 banks). Data on 









Holder to 


SSN/ MMN/ DOB / DL / DL exp / VBV... 
01 / 11/2012 - 
Grabbers 

CC + VBV (paypal, ebay, amazon, facebook) 

01 / 11/2012 

328 

- The system 
change 
number and 
Grading 
necessary 
disk imaging 

(input issues, balance sheets) for the Gulf 
santander.co.uk (instant on 
UK 
to 

lOkGBP) 


02 / 11/2012 



Grabber 


additional data for 
paypal (DE/UK/AU/ 
with 

the possibility 
to add 

other countries ). Collects : Name 
Holder, Balance, Status ( verif/ 
neverif), Account Type, Time of the last 
entry 

, as well as 
rooms full 
of affection 
card and / 
or 

bank 
accounts 
for the 
AU 


and the 



UK, 

and questions 
329 

with answers 

for 

DE 

13/11/2012 

Grabber 

TANS 

to 

ipko.pi 

23/11/2012 

Avtozaiiv 

on 

hsbc.co. uk 
23/11/2012 


Grabber 



cc + cvv + exp + pin. 
works 

on all pages 
on which the 
algorithm 
finds 
on 

LUHNl 0 

card number and 
exp 

field and 
collects 
requests 
PIN 

11/29/2012 
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intercept system 
/ 

bypass 



token 


to 

fnb.co.za 

Two-factor authentication - indeed, an additional layer of 
security for your E-banking account, however, everything 

changes on a crimeware-infected host, and sadly, it changes 
in favor of the cybercriminal that compromised it. 

1. httD://www.zdnet.com/blo a /securitv/modern-banker- 
malware-undermines-two-factQr-authentication/44Q2 

2. http://www.zdnet.com/blo a /securitv/no-securitv-software- 
no-e-bankin a -fraud-claims-for-vou/1158 

3. https://www. a oo a le.com/#output=search&sclient= psv- 
ab&a=site:ddanchev.blo as Dot.com-i-zeus 

4. httDs://blo a s.rsa.com/the-carberD-code-leak/ 

5. httD://blo a .webroot.com/2Q13/Q3/14/new-zeus-source- 
code-based-rootkit-available-for-Durchase-on-the-under 

g round-market/ 

6. httD://blo a .webroot.com/2013/06/27/self-Dro Daa atin a- 
zeus-based-source-codebinaries-offered-for-sale/ 
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Instagram 

Under 

Fire 

as 

Cybercriminals 
Release 
New 
DIY 
Fake 
Account 
Registra¬ 
tion/Management/Promotion Tool (2013-07-23 17:01) 

In 2013, CAPTCHAs represent an [l]outdated approach for 
a Web site wanting to prevent the [2]efficient and 












systematic abuse of its services. 


This fact, largely driven by the rise of [3]cost-effective 
CAPTCHA solving solutions offered by low-waged indi¬ 
viduals internationally over the last couple of years, 
continues to empower virtually anyone possessing the right 

cybercrime-friendly tools, with the ability to [4]abuse any 
major Web property in a potentially fraudulent or 

malicious way. 

In this post. I'll profile one of the most recently released DIY 
fake account registration/management/promoting tool, 

targeting Instagram, highlight its core features, as well as 
emphasize on the true impact that these tools are having 

on some of the world's most popular Web properties. 

Sample screenshots of the tool in action: 
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MCMM UTTSMA 

welcome config accounts actions tools 

lOM> KXlOW UNTOUOW IKt COMMIHT UKUIt mOTU unOAOPHOKH 

Thrtadt To Stoft- 2 * • By B<low Names By Below Togs WKh Max Folow Count BMWB ~ By Below Users D 

[>elay m Seconds 3 C SIbfi ^OP • • • • • to success d 10 Hy 


Keywords, separated by a space: 
iPeUiPelS 



w Log Viewer 
Clear logs 


Pnnt more details v scroi to end 


2013/B/lS 16'41>t0 • B«0 • Mtontzev folowed 338007973 successfully. 

20U/S/tS 164140 • MFO • Mlantzev folowed Joeyriiao<338007973) successfuBy. 
2013/6/lS 164143 • MFO • CamBaBMi followed 37287217S successfuBy. 

2013/6/15 164143 • MFO - CanUMw followed bagaye<372B7217S) successfuly. 
20U/6/1S164144 • B«o • Totantzev folowed 372B7217S successfully. 

2013/6/15 164144 • BIFO ■ TolanCzev folowed bagaye(372872175) successfully. 
2013/6/15164146 • WAAN • No coobe found from persistent storage. 

2013/6/15164147 • B#0 • Ttireadao is Stopped. 

2013/6/15 1641:50 ■ EltftOR - Thatchbnk ■ sign in successfuly. coobe counts. 
2013/6/15 164152 • INFO • Thatclitanlc folowed 338007973 successfully. 

2013/6/15 164152 • INFO ■ TKatclitanlc folowed Joeyzhao(33B007973] successfuly. 
2013/6/15164156 - INFO - Thatcfitanl: folowed 372872175 successfuly. 

20U/6/15 164156 • BIFO • Thatchtank folowed bagaye072872175) successfuly. 


xii 


welcome config accounts actions tools 

toao FCXIOW UMFOtLOW IKC COMMCHf UFOAIt HIOFU uriOaO PHOTOS 

By letow Tags (Effcient to get real lolowers) a By below user Names. Max photo count lO C 
By Betow Medb D (3k* accounts may be in popular page) 

Oelay n Seconds 3 C Threads To Start 10 Z >4ax like Count: 999999 * Get Hot Tags 
Start Stop 18 success of 20 try 

Keywords (lags), separated by a space: 

ipetS 



Qlog viewer 

Clear logs Init more detalt vr Scroi to end 

hnVVU 164^41 • BtFO - Camlabu Ikts photo id 473030035157155991^2872175 succesifuiy: 
2013/6/15 164241 • MFO • Thatchtank hkes photo id 4730300351S71S5991.372B7217S successfuly: 
2013^5 164241 - INFO - Cbtibsloluk hkes photo id 473030035IS7155991.372872I7S successfuly: 
2013/6/15164241 • BtFO • Tarrabhxk hkes photo 16473030035157155991.372872175 successfuly: 
2013^5 164241 • BtFO • TolanQev likes photo 16473030035157155991.372872175 successfuly: 
2013/6/15 164245 - INFO - Ctetibsloluk hkes photo 16 473029841892016276.372872175 successfuly: 
20U/6/15 164245 • BtFO • Tarrabhxk hkes photo id 473029841892016276.372872175 successful^ 
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MCMM UTTStU 


-Ox 




vcicome config accounts actions tools 

10M> FOUOW UNTOllOW IKt COMMIHT UPOAItmorU unoAomoios 


tgott: accounlsM' in root dvectocy h IokM by MauH. Chuk Atcot — aj«i 

Sav* As_ Total CounCiags AN crtaitd Accounts 


load Accounts.- 


Cttac Craatad Accounts 


Usar Nama Password Email Updatad Profik Upkadad Photos Prafar Proxy Croata At 

Uahqooita Ihogn landvqyt9yaheo.com 

Rakrqnwup llbqac McnashcnK)uObcllsoulh.nct 


Hubshaoy 

flcmliA 

C hntti)robn#«ol.c<xn 

LotsoxunMh 

rcznore^ 

Kordnoqu9omai.com 

iUmttVkgf 

tdnrMiomaic 

trandasty9yalioo.com 

tndadbrdnb 

gaaodnpq 

Aialiala9f<naAcom 

Jaksrttb 

cdibylaqo 

Swacwa9yahoo.com 

Hagancqwyy 


Lfnnicbm9msnxom 

Smilytfpwtoh 

pMinfCvvii 

FUMlotfhxq9<om<asti>*t 

Coharqutp 

dUdttWtu 

lu(ord 9 o 9 gmail.com 

WosNconfxg 

sIgtM 

vtnttpxmm^comcastnpt 

PMtymrzMd 

tnqyoil 

McKaya«t9yahoo.com 

Jasaptibibbgw 

o—satr 

Ramvcp9mtn.com 

vipuiifvyKiy 

uopnsofn 

Comnazzci9«arizon.nat 

Edaacmba 

nK<yvHt 

Ettabavz9yalioo.com 

ToNayhv 

haudhvti 

Swigartvm9gmailcom 


Quanbyta^aiq jMqta lcMiafg9aoUom 


0logvkwar 


j<a 


welcome config accounts aaions tools 

lOAO fOUOW IMfOllOW IKt COMMUfT UH^AttMtOfEt UHOAO PHOTOS 

1 irtf^SoariMjKiinl^Rtsoirc^^ stita Photos FoWof... 

PInMo caption spmtax (Ona Nam aach Ina. bot wiN randomly pick ortaO 

vNiy g|Hc|Who|$hcN>ar sistartnobodyl (alovtlcrvsh ontahatal ma 

taltha pMtura|haao|*tiaQ mats (amc|har|lwniyou(agxEi>oy) |scooNacuit|a>ova|asaiy) 


MOW u-naacs 



- □ X 


Upload N madu count lass than S a upload Photos Count |l * Upload AN Photos 
Oalay in Saconds 10 Z Thraads To Stact lo Z 
Start Stop 


0log Vianar 


jii 
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MCMM UTTWU 


O X 




on‘iq oi. actions .X5b 

ICMO FOUOW UMOllOW IKt COMMIHT UKIATC moflll MtOW PHOTOS 


Gtixltr; Ftin<tt<80%) “ 
Ftmjit Pfofil* I M«l« Pro<<« j 


S«tect Emals Filt.. 

S«ttct Pro<4* WttHit* Flit... 

S*<«ct Prqitt eio Fil*_. GX ttmcUtt 


ProW» PKtUffS... 
9toHt Ntmtf- 


GXltnitiWt 


1. Suppomtd pKturt FormMs: .jpg. .png and .jptg. 


Thraads To STait: lO * Sum Step 


C^logvsrwtr 
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welcome config accounts action tools 

CHKK ACCOUNT TtSTPOOXY AlNCW KOUTCR IP 

Note: accoufUsM' in root directory is ioaded by (Maiiit. 

Load Accounts... Threads To Start: S Z Count: 74 


Start 


Stop 


MCMM UTTMU 



-Ox 


User Name 

Password 

PK 

TayforRordTaylor 

fMqtd 

416962391 

BradfordGibbsfira 

9^« 

416962422 

Peter sloulsPeter3676 

qus<9M 

416962484 

SMesRiStilesfb 

qtdziy^fo 

416962S54 

NorthlavemaNoft 

Uglx 

416962862 

MercerMuTMefcer22t 

tKiiqhqtri 

416962979 

ConradAbadConradS162 

Mypbbop 

416962948 

HoffmanMcKayNoff 

mdplb 

416963826 

ThorpeRronThorpe3507 

KKtpbq 

416963934 

PikcOulaPilceOulal97 

IspMfwb 

416964006 

Boswellvir9e9osvi0974 

jnblvugu 

416964339 



Tol louver Count 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 
0 


Followinp 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 


CjiportVabd Export irrraM 


success of 42 try 


(v) top Viewer 






MOWC SnTMGS 


we;:ome config accounts actions tools 

Oliac ACCOUNT nST PROXY RfNEW ROUTERS 
Note: 'accotfitsJxr m root directory is loaded by default. 


Q □ X 


load A«oun(s_. 

Ttwoads To Start: lO 

Z Tot^ Count: 1905 

Start 

stop 



User Name 

Stasnyuiglb 

Password 

wpfebt 

PK 

410046269 

Invalid 

Prefila Pk 

c 

Capteha 

uploaded Photos 

Follower Count 

0 

Followin 9 Co 

0 

Gin«vt) 9 idqin 

ctibaau^ 

410046S12 


m 



0 

0 

lanfort^kuagm 

aUgphy 

41004«4«9 


i 



0 

0 

ThaKhMqQijI 

OftttZ 

410046732 

□ 




0 

0 

NevAiwrs 

olcaatnpzn 

410046982 

□ 

£ 



0 

0 

Shodofmyqv 

uanaiab 

410047207 





0 

0 


GutfwtUjwvl 

byhendUz 

410048247 


CalabnKbv 

mhkqotejd 

410048449 


Chrnthiyitt 

orpiehr) 

410048597 


6ltki1l 

arwsbwipa 

410048837 


Faricafidinz 

stonhiumiii) 

410049385 


4 

rnwr 

4innaQS74 


Export valid 

Export Invabd 




1019 success of 1380 try 


0109 Viewer 


A 
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welcome config accounts actions tools 

SASIC scrnNC aovamci scttmciostwnau otiAros 

Threads To Start lOO Z Accounts To Create: 30000 Z ^ SeconcH To Create Next 3 Z 


MCMM UTTMCa 



-Ox 


^ Upload ProfSe Picture Rartdomly arid Update Profile Info With Random Data Upload Photos Randomly 
Max accounts por proxy: 9 Z ^ success 


User Name 

OKkersonKaaeOi 

Password 

utguty 

Cmail 

mxhxoosUccs^ahoo.co.uk 

Updated Profile 

V 

uploaded Ptiotos 

Create At 

6/15/30134:23)40 PM 

RulfinNobikRulf6471 

•fttiixidt 

gtwos9<»fflbebj)y9sl>cglotMlM< 

V 

□ 

6/15/2013 4.23}40 PM 

LurxIyHaNeeiufxly 

pigqtttaq 

2rwrietqM>anl3wluvo#«nsnLCom 

V 

□ 

6/JS/20U 4:2339 PM 

TiimanOriaTAm 

zybvzxfw 

zhuuffMubvosy(|S#9malcom 

_ 

H 

6AS/2013 4:23)40 PM 

Armstr ongVixipAB 1S 

ubytiy* 

qqni 9 )on«uky*qq.tom 


□ 

6/lS/20134:24D6PM 


Save Accounts As~. 


0109 


jSM 
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HtXM M'TTMA 


_ n >r 




accounts 

•ASK UmNC -•>. T ’ fiTti.. .''Pri. 


HmattLog*N atm 
^ MntfOfTAk' 0«<^Alc 

last Otgit Count 


s«i«ct Emails Fil*. 

E .lofrAaf•>.SoctKtot^jrunl^b«oMrn>fti^rv URl M S«««ct ^ro<l« WtOsKc filt 

EAsoftwart>SociKBor<trunt.b«uA(iar.bio finalM ^«^«CT ^c^ie lio *4* 0«t ttmcMe 

G««id*r MK«(X>^| 

E«m«l« Prolilt ,M»l»PfOfl» 

E '.so#t«»f ProMf Pvlvtv 

•rofOt Hamas. <j«t tampUl* 

Not« 

1. Suopomad pKtuf# ;v,(mjr ,. . .>f.. 


'* Logvmaor 


Some of its core features are: 

• support for multi-threads 

• set number ot accounts to generate using a single proxy 
(malware-infected host) 

• randomization of the posted bogus content to avoid easy 
detection of the pattern 

• male/female fake account creating capabilities 

• mass account validity checking capabilities 

• CAPTCHA-solving integration with third-party CAPTCHA 
solving services 

Over the years, I've been extensively profiling campaigns 
utilizing purely legitimate infrastructure for achieving 

the fraudulent/malicious objectives set by the cybercriminal 
behind the campaign. These cases demonstrate that 








cybercriminals continue to pursue the efficient and 
systematic abuse of legitimate Web properties, which on the 

other hand, continue relying on CAPTCHA challenges to 
differentiate between bots and humans using the site, 

forgetting that it's actually humans solving the CAPTCHAs for 
the their customers. 

24/7/365. 

Known cases of abuse of legitimate infrastructure for 
fraudulent/malicious purposes over the years include: 

• [5]Bogus "Shocking Video" Content at Scribd Exposes 
Malware Monetization Scheme Through Parked Domains 

• [6]Fake Codec Serving Domains from Digg.corn's Comment 
Spam Attack 

• [7]Bogus Linkedin Profiles Redirect to Malware and Rogue 
Security Software 

339 

• [8]Dissecting the Bogus Linkedin Profiles Malware 
Campaign 

• [9]From Ukraine with Scareware Serving Tweets, Bogus 
Linkedin/Scribd Accounts, and Blackhat SEO Farms 

• [10]Celebrity-Themed Scareware Campaign Abusing 
DocStoc and Scribd 

• [ll]Celebrity-Themed Scareware Campaign Abusing 
DocStoc 



• [12]From Ukraine with Bogus Twitter, Linkedin and Scribd 
Accounts 

• [13]Pharmaceutical Spammers Targeting Linkedin 

This post has been reproduced from [14]Dancho 
Danchev's blog. Follow him [15]on Twitter. 

1. httD://ddanchev.blo as DOt.com/2009/06/Deek-inside- 
mana a ed-blackhat-seo.html 

2. http://blo a .webroot.com/2Q13/Q4/23/captcha-solvin a- 
russian-email-account-re a istration-tool-helos-facilita 

te-cvbercrime/ 

3. httD://www.zdnet.com/blo a /securitv/inside-indias-caDtcha- 
solvin a -economv/1835 

4. httD://blo a .webroot.com/2Q13/Ql/15/cvbercriminals- 
release-automatic-caotcha-solvin g -bo a us-voutube-account 

-a eneratin g -tool/ 

5. httD://ddanchev.blo as DOt.com/2Q13/Q6/bo a us-shockin g- 
video-content-at-scribd.html 

6. httD://ddanchev.blo as DOt.com/2QQ9/Q2/fake-codec- 
servin a -domains-from.html 

7. httD://ddanchev.blo as DOt.com/2QQ9/Q4/bo a us-linkedin- 
Drofiles-redirect-to.html 

8. httD://ddanchev.blo as DOt.com/2QQ9/Ql/dissectin a -bo aus- 
linkedin-profiles.html 

9. http://ddanchev.blo as pot.com/2QQ9/Q6/from-ukraine-with- 
scareware-servin a .html 






















































10. httD://ddanchev.blo as DOt.com/2009/12/celebritv-themed- 
scareware-camDai a n.html 


11. httD://ddanchev.blo as DOt.com/2009/12/celebritv-themed- 
scareware-campai a n_Q7.html 

12. httD://ddanchev.blo as DOt.com/2009/07/from-ukraine- 
with-bo a us-twitter.html 

13. http://ddanchev.blo as pot.com/2QQ9/Q2/pharmaceutical- 
S Dammers-tar a etin a .html 

14. httD://ddanchev.blo as Dot.com/ 

15. httD://twitter.com/danchodanchev 
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DIY commercially-available ‘aulomalic Web site 
hacking as a semee’ spoiled in ihe wild 

O 3VW« 

By Dandto Owwtwv 

A n9wty l•u^ct)9d und9*^nunij mtvk*. tms to automata tha unaltac'^i ponatration toting procats by 

ompoawmg wluatly aii or m ipnymg) cuitomors wrtti wfwl thay claan is prrvalo oxptoAation tochraguas capabto of 
conipruitowsg any Wab sjIo 

MoredatAls 

raadiag-> 


rjr» 






Cuslom USB slicks bypassing Windows 7/8's 
AuloRun proleclion measure going mainslream 


SIMPLICITY 

STOP THE GUESSWORK 

'•f rrotec 


ONE 

FOUR 



IS YOUR COMPANY EXPOSED? 
0« a (anatowurv c«a* «r a naw 
tutwy ana laam laou lMa«i 

Y Aa ber m firaas r- * 
c«au and anaacts 


oowaaoao tm stuot mm > 


Connect U'il/i Us 


Summarizing Webroot's Threat Biog Posts for Juiy 
( 2013 - 08-01 19 : 01 ) 

The following is a brief summary of all of my posts at 

[1] Webroot's Threat Biog for July, 2013. You can subscribe 
to 

[2] Webroot's Threat Biog RSS Feed, or follow me on 
Twitter: 

01 . [3]Cybercriminals experiment with Tor-based C &C, ring- 
3-rootkit empowered, SPDY form grabbing malware bot 


02 . 

[4]Deceptive ads targeting German users lead to the 
'W32/SomotoBetterlnstaller' Potentially Unwanted 











Application (PUA) 


03 . [5]Newly launched underground market service harvests 
mobile phone numbers on demand 

04 . [6]Novel ransomware tactic locks users' PCs, demands 
that they participate in a survey to get the unlock code 

05 . [7]Spamvertised 'Export License/Invoice Copy' themed 
emails lead to malware 

06 . [8]Cybercriminals spamvertise tens of thousands of fake 
'Your Booking Reservation at Westminster Hotel' themed 

emails, serve malware 

07 . [9]New commercially available mass FTP-based proxy- 
supporting doorway/malicious script uploading application 

spotted in the wild 

08 . [10]Fake 'iG04 Private Car Insurance Policy Amendment 
Certificate' themed emails lead to malware 

09 . [ll]Tens of thousands of spamvertised emails lead to the 
Win32/PrimeCasino PUA (Potentially Unwanted 

Application) 

10 . [12]Spamvertised 'Vodafone U.K MMS ID/Fake Sage 50 
Payroll' themed emails lead to (identical) malware 

11 . [13]New commercially available Web-based 
WordPress/Joomla brute-forcing tool spotted in the wild 

12 . [14]Rogue ads targeting German users lead to 
Win32/lnstallBrain PUA (Potentially Unwanted Application) 
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13 . [15]Yet another commercially available stealth 
Bitcoin/Litecoin mining tool spotted in the wild 14 . 
[16]Deceptive 'Media Player Update' ads expose users to the 
rogue 'Video Downloader/Bundlore' Potentially 

Unwanted Application (PUA) 

15 . [17]Newly launched 'HTTP-based botnet setup as a 
service' empowers novice cybercriminals with bulletproof 

hosting capabilities 

16 . [18]Fake 'Copy of Vodafone U.K Contract/Your Monthly 
Vodafone Bill is Ready/New MMS Received' themed 

emails lead to malware 

17 . [19]Rogue ads lead to the 'Free Player' Win32/Somoto 
Potentially Unwanted Application (PUA) 

18 . [20]How much does it cost to buy one thousand 
Russian/Eastern European based malware-infected hosts? 

19 . [21]Custom USB sticks bypassing Windows 7/8's 
AutoRun protection measure going mainstream 

20 . [22]DIY commercially-available 'automatic Web site 
hacking as a service' spotted in the wild 

This post has been reproduced from [23]Dancho 
Danchev's blog. Follow him [24]on Twitter 

1. http://blo a .webroot.com/ 

2. http://feeds2.feedburner.com/WebrootThreatBlo a 





3. httD://blo a .webroot.com/2013/07/02/cvbercriminals- 
experi ment-with-tor-based-cc-ri n a -3-rootkit-emDowered-s 

pd v-form- g rabbi n g -malware-bot/ 

4. http://blo g .webroot.eom/2013/07/03/deceptive-ads- 
targ etin g-g erman-users-lead-to-the-w32somotobetterinstal 
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Dissecting a Sampie Russian Business Network (RBN) 
Contract/Agreement Through the Prism of RBN's 

AbdAiiah Franchise (2013-08-10 21:10) 

[l]The Russian Business Network (RBN), is perhaps the 
most speculated, buzzed about, cybercrime enterprise in 

the World, a poster child for fraudulent activity 'streaming' 
from 'Mother Russia', in the eyes of respected/novice 

security/cybercrime researchers across the globe. 

However, what a huge percentage of the researchers who're 
just catching up with its '[2]frauduient perfor¬ 
mance metrics' over the years, don't realize, is how a newly 
emerged bulletproof hosting provider, managed to end 

up, as the World's most prolific source of 
fraudulent/malicious activity. 

Hint: Basic business concepts like franchising, signalling the 
early stages of the modernization/professionalization of 

cybercrime, where being the benchmark has had a direct 
inspirational impact in the 'hearts and minds' of current 

and potential cybercriminals, then and now. 

Case in point is [3]Abdallah Internet Hizmetleri also 
known as AbdAiiah (VN), an ex-RBN darling relying on 



the franchise business concept. 


In this post, I'll discuss a sample contract/contractual 
agreement that every one of its customers had to sign 

before doing business with them, which in the broader 
context leads to a situation, where while the franchise is 

publicly advertising the bulletproof hosting services for 
trojans, exploits, warez, adult content, drop projects, botnets 
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and spam, it's explicitly forbidding such activities - with 
some visible exceptions - in its contractual agreement. 

What does this mean? It means that the Russian Business 
Network, the benchmark for the majority of ex/currently 

active bulletproof hosting providers, has been (legally) 
forwarding the responsibility for the fraudulent activity 

to its customers, in between reserving the right to act and 
deactivate their accounts if they ever violate the 

agreement/contract. The first thing that comes to my mind 
when it comes to the RBN 'reaction' in a socially 

oriented manner, are the infamous [4]RBN Fake Account 
Suspended Notices, and that's just for starters, indicating 
a deteriorated understanding of malicious/fraudulent 
activity, with high profit margins in mind. 

Let's go through the contract/agreement that every customer 
used to sign, before doing cybercrime-friendly 

business with them, both in original Russian, and 
automatically translated in English. 



Sample AbdAllah (VN) Contractual Bulletproof 
Hosting Agreement/Contract in Russian: 

1. nPEMMET MOrOBOPA 

1.1. SaKasHMK nopyHaer, a t/ICnonhU/ITE/lb Geper na ce6fi 
odfisare/ibCTBa no pasMemeHi/iio i/i/i/ini/i peri/iCTpai^i/ii/i 

BMprya/ibHoro cepBepa 3AKA3HI/IKA b cgtm l/lHTepneT. 

2 . yC/lOBMfJ BbinO/IHEHMfJ J^OEOBOPA 

2 . 1 . 

no 3aK/ifOHeHMfo HacTOBLMero floroBopa t/ICnonhU/ITEflb 
npoi/i3BO/],i/iT nepBOHana/ibHyHD ycTanoBKy 

I/I HacTpoMKy Bi/iprya/ibHoro cepaepa i/i odecneni/iBaeT 
3AKA3HI/IKA Heo6xofl.i/iMon i/iH(popMai 4 i/ien fl/iB 

aflMi/iHi/icrpi/ipoBaHi/iB Bi/iprya/ibHoro cepaepa. 

2 . 2 . 

l/ICnonhU/ITEflb oOecnennaaeT flocryn b cgtm l/lHTepneT k 
B i/iprya/ibHOMy cepaepy, a rax /kg 

pa6oTOcnoco6HOCTb bcgx flocrynHbix CGpai/icoa 3AKA3HI/IKA 
Kpyr/iocyroHHO b tghghi/ig cgmi/i /^hgm b hg/^g/iio. 

3. UEHbl I/I nOPPMOK On/IATbl 
3.1. 

CroMMOCTb I/I nopaflOK on/iarbi paOor no HacToamoMy 
floroBopy Ha momght Gro 3aKniOHGHi/iB 



onpefle/ifieTCfi b cooTBercTBMM c /^eMCTBytoinMMM 
ycnoBi/iBMi/i, pacnpocTpaHfjeMbiMi/i corpyflHi/iKaMi/i no E- 

Mail m/m/im icq. 

3.2. 

Onnara bhocmtcb 3AKA3HI/IK0M b chgt onnarbi yc/iyrn 
no^flep}KKM BMprya/ibHoro Be6-cepBepa 

l/ICnO/lHI/ITE/lEM. l/ICnO/lHI/ITE/lb BnpaBG npi/iocTanoBMTb 
npefloCTaBneni/ie ycnyr npi/i orpni^aTe/ibHOM 

cocTOBHi/ii/i CHera. 

3.3. 

Bee Bbifle/iGHHbie cepaepbi npeflocraBfiBHDTCB b coctobhi/ii/i 
UNMANAGED, T.e a/^MMHMCTparopbi 

MCnO/IHMTE/lfJ Moryr, ho hg 0BfJ3AHbl HaerpaMBarb 
apGH^yGMbiM cepaep. 3a /itodyio HaerpoMKy cepaepa 

3AKA3HMKA, ni/i6o CKpnnTOB Ha hgm - BSbiMaeTCB nnara b 
pasMGpe 50 USD/sa 1 nac padoTbi a/^MMHMCTparopa 

l/ICnO/IHI/ITE/lfJ no BatuGMy Bonpocy, Mi/iHi/iMyM non naca. 
rionHoe aflMi/iHi/icTpi/ipoBaHi/ie cepBopa cnei^i/iani/icTaMi/i 

MCnO/lHMTE/lfl CTOHT 250 USD b Mecn^. 

EecnnaTHO ocymecTanneTcn nepesarpysKa cepaep (ecni/i 

HOT 

aBTOMaTi/iHGCKOH 0opMbi flnn aroro). 

3.4. B cnyHae hg onnarbi ycnyr 3AKA3HMK0M b nocne/^HMM 
/^GHb 6i/inni/iHroBoro nepi/iofla, flaHHbie 3AKA3HMKA 



yfl.anfJK)TCfj no HacrynneHi/iK) HOBbix cyroK dea BoaeparHO. B 
cfiynae Bi/iprya/ibHoro xocTi/inra yfla/iBercB 

axKayHT i/i Bce daxanbi flanHoro aKKaynra, b cnynae apen^bi 
cepBepa (dedicated i/i/ii/i vps) cepaep CHi/iMaercB c 

o6cny>Ki/i Ban I/IB, 0opMaTi/ipyHDTCB /xecTKi/ie fli/iCKi/i. 

4. OTBETCTBEHHOCTb CTOPOH 
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4.1. 

l4CnO/1HI4TE/1b He necer OTBercTBeHMOCTM nepefl 
3AKA3HI4K0M m/im TperbMMM CToponaMM aa 

fiHDdbie aa/^ep/KKM, npepbiBaHMB, ymepd i/ini/i norepi/i, 
npoi/icxoflBuai/ie i/ia-aa: 

(a) /^ecpexTOB b /ihdOom a/ieKrpoHHOM i/ini/i MexaHi/inecKOM 
odopy/^OBaHi/iM, He npHHaM/ie/KameM l4CnO/1HMTE/1iO; 

(6) npod/ieM npi/i nepe/^ane flannbix i/ini/i coefli/iHeni/ii/i, 
npoi/iaoLuefliui/ix ne no anne l/ICnonhU/ITE/lP; 

(b) BcneflCTBi/ie oOcTOBre/ibCTB Henpeofloni/iMOH ci/inbi b 
odiifenpMHBTOM CMbic/ie, r.e. HpeaBbinanHbiMi/i ci/inaMi/i 

I/I HenpeflOTBpari/iMbiMH odcTOBre/ibCTBaMM, ne 
noflfie/Kami/iMi/i paayMHOMy kohtpo/iio; 

(r) flaB/ieni/ie B/iacren. 

4.2. ripi/i pacTop/KeHi/ii/i MoroBopa no i/iHi/mi/iari/iBe 
3AKA3HI/IKA, Hencno/ibaoBaHHaB nacTb aaaHca 3AKA3HI/IKy 



BOSBpaLuaercfj. 


4.3. 

MCnOJJHMTEJJb ocraB/ifieT sa co 6 oh npaao 
npHOCTaHOBHTb o 6 cjiy>KHBaHHe 3AKA3HMKA h/ih 

pacToprnyTb floroBop b deaycnoBHOM nopBflKe Sea 
BoaBpaiMCHHB cpeflCTB aaKaaHHKy b cneflyiomHx 
cnyHaBx: 

- paaMemenne abtckoh nopHorpa(pHH h aoo(pH/iHH b 
/ik) 6 om BHfle; 

- nonbiTKH BanoMa, HecaHKi^HOHnpoBaHHoro 
npoHHKHOBeHHB Ha cepaep, b aKKayHTbi flpyrnx 
K/tneHTOB, 

nonbiTKH nopHH odopyflOBaHHB hjih nporpaMMHoro 
odecneHBHHB; 

- nonbiTKH BanoMa npaBHTB/ibCTBBHHbix opraHnaai^HH 
modoM BHflB; 

- nonbiTKH cnaMa niodoro pofla c naujHx CBpaopoB 
BHpTya/IbHOrO XOCTHHra, KpOMB KaK HBpoa COKCbi; 

- nonbiTKH (pHUJHHra daHKOB (Kpax^a abhbt); 

- paaMBlMBHHB HH(pOpMai4HH nO TOprOB/IB OpyX<HBM H 
HapKOTHKaMH, ToproBJiB /iioflbMH H/iH opraHaMH 

nioflBH, BbiabiBaioiMHB MBx<Hai 4 HOHanbHyio h 
pB/iHTHoanyio poanb, npnabiBaiomyio k bohhb h 
H acH/iHio; 

- HBonpaBflaHHan noporpyaKa BbiHHC/iHTB/ibHbix 
MOIMHOCTBH CBpBBpa BHpTya/IbHOTO XOCTHHTa 



(flonycKaercf! 

HcnojtbsoBaTb He donee 5 % moimhocth npoi^eccopa h 
H e donee 128Md oneparHBHOH naMBTH cepBepa); 

- nonbiTKH BsnoMa c cepaepoB (dedicated h 
BH pryanbHbiH xocthhc) - cepaepbi, KOTopue 
pacnonomeHb! 

pnflOM B CTOHKe, nndo KnneHTOB btoh x<e crpanbi, rfle 
pacnonoxcen cepaep; 

- ocKopdnenne b modon (popMe corpyflHHKOB cepBHca. 

4.4. l4CnO/1HI4TE/1b HQ OTBGHaeT 33 cofl,ep?KaHi/ie 
I/IH(popMa 141/11/1, pasMemaeMOM 3AKA3HI4K0M. 

4.5. MCnO/1HI4TE/1b He dyfler hgctm OTBeTCTBSHHOCTM 3a 
fiiodbie aarpaTbi i/ini/i ymepd, npBMO i/ini/i KOCBenno 

B03HMKLjjMe B peBy/ibTdTe i/icnonb30BaHi/iB ycnyri/i b 36 
xocTMHra. 

4.6. MoneyBack 3 a Bbi^e/ieHHbm cepaep BOBMO/Ken to/ibko b 
TOM c/iynae, ec/ii/i HeflocrynHOCTb ^aHHoro cepaepa 

npoi/icxofli/iT no ai/ine l/ICnOJlHI/ITEJlfi, BBi/ifly Toro, hto 
l4CnO/1HI4TE/1b on/idHMBaeM no/inyio ctommoctb cepaepa 

B JIlaTa-UeHTp. Tax/Ke aoBMO/KHa saMena cepaepa. 


4.7. 

PasMemenne canroB 3AKA3HMKA, peKnaMHpyeMbix 
SPAMom Ha cepaepax MCnOJIHMTEJiP (xax 


BHpraynbHoro xocTHHra, rax h dedicated) 
onnaHHBaercn OTflenbHO h 3 pacnera odbena nnceM. 



npH 

od-bGMax OT 5 m/ih no IOm/ih =1000 USD - 1500 USD b 
M ecftn 3a cepaep b Kurae h/ih roarKonre, nndo 150 
USD 

nene/iB h/ih 500 USD b Mec/tn sa BHpryanbHbiH 
xocTHHr, donee 10-20 Mnn. = 200 USD Henenn nndo 
2000 $ 3a 
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BbinenoHHbiH cepaep. 

4.8. l4CnO/1HMTE/1b o6fi3yeTCfi flenarb e>Kefl,HeBHbie 
pesepBHbie Koni/ii/i aKKayHra 3AKA3HMKA Ha CTopoHHi/iH 

cepaep (to/ibko ai/ipTya/ibHbiH xocti/iht). 


4.9. 

MCnOJJHMTEJJb odnayeTcn peinarb caMOCTonrenbHO 
Bce x<ano6bi (a6y3bi/abuse). He npHanexan k 

3TOMy 3AKA3HMKA h 6e3 BMeiHarenbCTBa b naHHbie 
3AKA3HMKA. MCPOJJHMTEJJb He peuiaer xcanodbi 

(a6y3bi/abuse) or nonni^HH, Kpynnbix 
npaBHTenbCTseHHbix oprannaannH h VerSign. 

4.10. 

MCnO/!HI4TE/!b He naer Hi/iKaKi/ix rapaHTi/iH, hto noMen 
3AKA3HMKA He Oyfler saOnoKi/ipoBaH no 


/iHoObiM npi/iHi/inaM, a ocoOenno raxi/iM xax ntodon Bi/in 
SPAMa, fraud, phishing i/i r.n. 



5 . KOH0l/IMEHLI,l/IA/lbHAfi l/IH0OPMALlMfi 


5.1. CTopoHbi o6fi3yK)TCfi 6e3 oOotoflHoro cor/iacn^ ho 
nepe^aeaTb rperbi/iM ni/ii^aM ni/i6o Mcno/ibaoeaTb i/iHbiM 

cnocoOoM, He npeflycMorpeHHbiM yc/iOBi/ifiMi/i ^oroBopa, 
opraHi/i3au,i/iOHHO-TexHonori/inecKyto, kommgp necKyna, 

(pl/IHaHCOByHD I/I l/IHyHD l/IH 0 OpMaL 4 l/IHD, COCTaB/IBHDlUyfO COKper 
flfiB fiHDdoH 1/13 CTopoH (fla/iee - ''K 0 H(pi/ifl,eHi 4 i/ianbHaB 

i/iH(popMai 4 i/iB'') npi/i ycnoBi/ii/i, hto: 

- TaxaB i/iH(popMai4i/iB i/iMeer flencTBi/iTenbHyHD i/ini/i 
noTeHL4i/ia/ibHyfo KOMMepnecKyK) laennocTb b ci/iny ee 

Hei/l 3 BeCTH 0 CTI/l TpeTbMM /ll/IL 4 aM; 

- K TaKOM i/iH(popMai4i/ii/i HOT CBo6oflHoro floCTyna Ha 
aaKOHHOM ocHOBani/ii/i; 

- odnaflaTenb raKon i/iH(popMai4i/ii/i npi/ini/iMaer Hafl/ie/Kauai/ie 
Mopbi K odecneneHi/ito ee K0H(pi/ifleHi4i/ianbH0CTi/i. 

5.2. CropoHbi o 6 B 3 yHDTCB, 6 e 3 odoto/^Horo cornaci/iB, ne 
nepe/^aeaTb rperbi/iM ni/maM CBe/^eHMB o coflep/Kani/ii/i 

I/I ycnoBi/iBx MoroBopa. 


5.3. 

MCnOJJHMTEJJb o6fi3yeTCfi npeflOTspamaTb sanncb 
noroB Ha cepaepax enprya/ibHoro xocTHHra h 

MapujpyTH3HpyiomeM odopyflosaHHH. 

5.4. Eyflbre BHi/iMare/ibHbi, corpyflHi/iKi/i MCnO/!HMTE/!P ne 
aanpauji/iBaiOT naponi/i or aKKaynTOB Bi/iprya/ibHoro 



xocTMHra M Bbifle/iGHHbix cepBepoB. l/ICK/ifoneHMeM bb/ibotcb 
ci/irya 141/IB, Kor^a 3AKA3HI/IK npoci/iTb npoi/i3BecTi/i 

KaKi/ie-ni/160 padoTbi Ha ero Bbi/^e/ieHHOM Cepaepe. 
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Automatically translated Russian Business Network 
(RBN) Contractual Agreement/Contract: 

1. SUBJECT OF CONTRACT 

1 . 1 . 

Customer Requests, but ARTIST is committed to the 
placement and / or registration CUSTOMER virtual 

server on the Internet. 

2. CONDITIONS OF IMPLEMENTATION OF THE TREATY 

2.1. At the conclusion of this treaty ARTIST produces initial 
setup and configuration of the virtual server and 

provides the necessary information for CUSTOMER virtual 
server administration. 

2.2. ARTIST provides access to the Internet to the virtual 
server, as well as efficiency of all available services 

CUSTOMER day seven days a week. 

3. PRICES AND ORDER OF PAYMENT 

3.1. Cost and arrangements of works under this contract at 
the time of its conclusion is determined in accor- 


dance with existing conditions, the staff distributed by E-Maii 
and/or ICQ. 

3.2. 

Payment is made ZAKAZCHIKOM as payment services 
support virtual web server ISPOLNITELEM. ARTIST 
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right to suspend the provision of services at a negative 
status of the account. 

3.3. All dedicated servers are provided in a position 
UNMANAGED ie ISPOLNITELYA administrators can, but not 

OBYAZANY tune rented server. For any server setup 
CUSTOMER or scripts on it - charge of $ 50 USD /for 1 hour 

administrator ISPOLNITELYA to your question, at least half an 
hour. The full server administration specialists 

ISPOLNITELYA worth USD 250 per month. Free done 
rebooting the server (if not automatic form for this). 

3.4. If no payment ZAKAZCFUKOM bill on the last day of the 
period, the data are removed CUSTOMER new of¬ 
fensive on days without reciprocating. In the case of virtual 
hosting account and removed all of your backups, in case the 
rental server (dedicated or vps) server is removed from 
service, formatted hard drives. 

4. RESPONSIBILITY OF PARTIES 

4.1. ARTIST no responsibility to ZAKAZCFUKOM or third 
parties for any delays, interruptions, damage or losses 



that occur because of: 


(a) defects in any electronic or mechanical equipment, not 
belonging ISPOLNITELYU; 

(b) problems in the transfer of data or connection that 
occurred through no fault ISPOLNITELYA; 

(c) due to force majeure circumstances, in the conventional 
sense, that is, nepredotvratimymi forces and emergency 

circumstances, not subject to reasonable control; 

(g) pressure from the authorities. 

4.2. At the dissolution of the Treaty on the initiative 
CUSTOMER, ZAKAZCHIKU unused portion of the advance 

is not refundable. 

4.3. ARTIST reserves the right to suspend or 
terminate CUSTOMER service contract in order 
without the un¬ 
conditional return of customer funds in the following 
cases: 

- Locating and zoofiiii child pornography in any form; 

- attempted burglary, unauthorized entry to the 
server, in the accounts of other customers, trying to 
dam¬ 
age equipment or software; 

- attempted burglary governmental organizations in 
any form; 



- spam attempts of any kind from our servers hosting 
virtuai except through SOCKS; 

- phishing attempts banks (steaiing money); 

- posting on the arms trade and drug trafficking, or 
human organs, causing inter-ethnic and reiigious dis¬ 
cord, caiiing for war and vioience; 

- unjustified computing power overioad virtuai server 
hosting (which is aiiowed to use no more than 5 % of 

CPU capacity, and no more than 128 MB of RAM 
server); 

- attempted burgiary of servers (and dedicated virtuai 
hosting) - servers, which are iocated next to the rack, 

a customer in the same country where the server; 

- insuiting to any form of service personnei. 

4.4. ARTIST is not responsible for the content of the 
information posted ZAKAZCHIKOM. 
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4.5. ARTIST shall not be liable for any costs or damages 
arising directly or indirectly from the use of Web hosting 
services. 

4.6. MoneyBack for dedicated server is possible only in case 
the inaccessibility of the fault occurs on the server 

ISPOLNITELYA, because ARTIST pay for the full cost of a 
server in Data Center. Also possible replacement server. 



4 - 7 - 


Placing sites CUSTOMER advertised on servers 
iSPOLNiTELYA SPAM (as virtauinogo hosting, and dedi¬ 
cated) is charged separateiy at the rate of the voiume 
of ietters. With voiume of 5 miiiion to 10 miiiion USD 
= 1000 

-1500 USD per month for the server in China or Cong 
Kongo or 150 USD week, or 500 USD per month for a 
virtuai 

hosting, a 10-20 miiiion = 200 USD week, or $ 2000 
for a dedicated server. 

4.8. ARTIST undertakes to do daily backups CUSTOMER 
account for the third-party server (only virtual hosting). 

4.9. ARTiST undertakes to decide aii compiaints 
(abuzy / abuse), are not engaging in the CUSTOMER 
and 

without interference in the CUSTOMER data. ARTiST 
does not soive compiaints (abuzy / abuse) from the 
poiice, 

government organizations and major VerSign. 

4.10. ARTIST gives no guarantees that the domain 
CUSTOMER not be blocked for any reason, but especially 

like any kind of SPAM, fraud, phishing, etc. 

5. CONFIDENTIAL INFORMATION 

5.1. The Parties undertake without the unanimous consent 
not to transfer to third parties or used in any other 



way other than prescribed conditions Treaty, organizationai 
and technoiogicai, commerciai, financiai and other 

information, which is the secret to any of the parties 
(hereinafter - "confidentiai information"), provided that: 

- this information is actuai or potentiai commerciai vaiue by 
virtue of its unknown third parties; 

- to such information no free access to the iawfui; 

- ho ids such information shaii take appropriate steps to 
ensure its confidentiaiity 

5.2. The Parties undertake, without unanimous consent, not 
to transfer to third parties about the content and 

conditions of the Treaty. 

5.3. ARTIST undertakes to prevent logging on servers 
and virtual hosting routing equipment. 

5.4. 

Be carefui, do not require empioyees ISPOLNITELYA 
passwords from virtuai hosting accounts and dedi¬ 
cated servers. The exception is when CUSTOMER request to 
any work for his Vydeiennom Server. 

Excluding the direct offering of managed servers for spam 
sending in the actual agreement/contract, and the fact 

that their abuse department is virtually non-existent, the 
contact explicitly prohibits related malicious/fraudulent 

activity. Naturally, that's not the case when AbdAllah (VN) 
used to advertise its bulletproof hosting service across 



cybercrime-friendly communities, "back in the day": 
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In 2013, despite the overall availability of RBN-like 
bulletproof hosting providers, cybercriminals continue 
experi¬ 
menting with abusing legitimate infrastructure in an attempt 
to mitigate the risk of having their activities exposed. 

Various cases throughout the last couple of years include: 

• [5]Cybercriminals use Twitter, Linkedin, Baidu, MSDN as 
command and control infrastructure 

• [6]RSA: Banking trojan uses social network as command 
and control server 

• [7]Trojan.Whitewell: What's your (bot) Facebook Status 
Today? 

• [8]Twitter-based Botnet Command Channel 

• [9]Google Groups Trojan 

• [lOjZeus crimeware using Amazon's EC2 as command and 
control server 

The "best" is yet to come. 

This post has been reproduced from [llJDancho 
Danchev's blog. Follow him [12]on Twitter. 

1 . 

https://www. a oo a le.com/# bav=&q=site:ddanchev.blo as pot.c 
om-FRBN 







2 . 

httD://www.shadowserver.or a /wiki/uDloads/lnformation/RBN- 

AS4Q989. Ddf 

3. 

http://www.shadowserver.or a /wiki/uploads/lnformation/RBN_ 

Rizin a.odf 

4. httD://ddanchev.blo as Dot.com/2008/Ql/rbns-fake-account- 
susDended-notices.html 

5. 

httD://www.zdnet.com/blo a /securit v/c vbercriminals-use- 
twitter-l inked in-baidu-msdn-as-command-and-control- 


infrastructure/11210 

6. httD://www.zdnet.com/blo a /securitv/rsa-bankin a -tro i an- 
uses-social-network-as-command-and-control-server/6 
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7. httD://www.svmantec.com/connect/blo a s/tro i anwhitewell- 
what-s-vour-bot-facebook-status-toda v 

8. httD://www.arbornetworks.com/asert/2009/08/twitter- 
based-botnet-command-channel/ 

9. httD://www.svmantec.com/connect/blo as/aooale-g rouDS- 
troian 

10. http://www.zdnet.com/blo a /securitv/zeus-crimeware- 
usin a -amazons-ec2-as-command-and-control-server/5110 

11. httD://ddanchev.blo as Dot.com/ 

12. httD://twitter.com/danchodanchev 
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Dissecting a Sampie Russian Business Network (RBN) 
Contract/Agreement Through the Prism of RBN's 

AbdAiiah Franchise (2013-08-10 21:10) 

[l]The Russian Business Network (RBN), is perhaps the 
most speculated, buzzed about, cybercrime enterprise in 

the World, a poster child for fraudulent activity 'streaming' 
from 'Mother Russia', in the eyes of respected/novice 

security/cybercrime researchers across the globe. 

However, what a huge percentage of the researchers who're 
just catching up with its '[2]frauduient perfor¬ 
mance metrics' over the years, don't realize, is how a newly 
emerged bulletproof hosting provider, managed to end 

up, as the World's most prolific source of 
fraudulent/malicious activity. 

Hint: Basic business concepts like franchising, signalling the 
early stages of the modernization/professionalization of 

cybercrime, where being the benchmark has had a direct 
inspirational impact in the 'hearts and minds' of current 

and potential cybercriminals, then and now. 

Case in point is [3]Abdallah Internet Hizmetleri also 
known as AbdAiiah (VN), an ex-RBN darling relying on 

the franchise business concept. 


In this post, I'll discuss a sample contract/contractual 
agreement that every one of its customers had to sign 

before doing business with them, which in the broader 
context leads to a situation, where while the franchise is 

publicly advertising the bulletproof hosting services for 
trojans, exploits, warez, adult content, drop projects, botnets 

353 

and spam, it's explicitly forbidding such activities - with 
some visible exceptions - in its contractual agreement. 

What does this mean? It means that the Russian Business 
Network, the benchmark for the majority of ex/currently 

active bulletproof hosting providers, has been (legally) 
forwarding the responsibility for the fraudulent activity 

to its customers, in between reserving the right to act and 
deactivate their accounts if they ever violate the 

agreement/contract. The first thing that comes to my mind 
when it comes to the RBN 'reaction' in a socially 

oriented manner, are the infamous [4]RBN Fake Account 
Suspended Notices, and that's just for starters, indicating 
a deteriorated understanding of malicious/fraudulent 
activity, with high profit margins in mind. 

Let's go through the contract/agreement that every customer 
used to sign, before doing cybercrime-friendly 

business with them, both in original Russian, and 
automatically translated in English. 



Sample AbdAllah (VN) Contractual Bulletproof 
Hosting Agreement/Contract in Russian: 

1. nPEMMET MOrOBOPA 

1.1. SaKasHMK nopyHaer, a t/ICnonhU/ITE/lb Geper na ce6fi 
odfisare/ibCTBa no pasMemeHi/iio i/i/i/ini/i peri/iCTpai^i/ii/i 

BMprya/ibHoro cepBepa 3AKA3HI/IKA b cgtm l/lHTepneT. 

2 . yC/lOBMfJ BbinO/IHEHMfJ J^OEOBOPA 

2 . 1 . 

no 3aK/ifOHeHMfo HacTOBLMero floroBopa t/ICnonhU/ITEflb 
npoi/i3BO/],i/iT nepBOHana/ibHyHD ycTanoBKy 

I/I HacTpoMKy Bi/iprya/ibHoro cepaepa i/i odecneni/iBaeT 
3AKA3HI/IKA Heo6xofl.i/iMon i/iH(popMai 4 i/ien fl/iB 

aflMi/iHi/icrpi/ipoBaHi/iB Bi/iprya/ibHoro cepaepa. 

2 . 2 . 

l/ICnonhU/ITEflb oOecnennaaeT flocryn b cgtm l/lHTepneT k 
B i/iprya/ibHOMy cepaepy, a rax /kg 

pa6oTOcnoco6HOCTb bcgx flocrynHbix CGpai/icoa 3AKA3HI/IKA 
Kpyr/iocyroHHO b tghghi/ig cgmi/i /^hgm b hg/^g/iio. 

3. UEHbl I/I nOPPMOK On/IATbl 
3.1. 

CroMMOCTb I/I nopaflOK on/iarbi paOor no HacToamoMy 
floroBopy Ha momght Gro 3aKniOHGHi/iB 



onpefle/ifieTCfi b cooTBercTBMM c /^eMCTBytoinMMM 
ycnoBi/iBMi/i, pacnpocTpaHfjeMbiMi/i corpyflHi/iKaMi/i no E- 

Mail m/m/im icq. 

3.2. 

Onnara bhocmtcb 3AKA3HI/IK0M b chgt onnarbi yc/iyrn 
no^flep}KKM BMprya/ibHoro Be6-cepBepa 

l/ICnO/lHI/ITE/lEM. l/ICnO/lHI/ITE/lb BnpaBG npi/iocTanoBMTb 
npefloCTaBneni/ie ycnyr npi/i orpni^aTe/ibHOM 

cocTOBHi/ii/i CHera. 

3.3. 

Bee Bbifle/iGHHbie cepaepbi npeflocraBfiBHDTCB b coctobhi/ii/i 
UNMANAGED, T.e a/^MMHMCTparopbi 

MCnO/IHMTE/lfJ Moryr, ho hg 0BfJ3AHbl HaerpaMBarb 
apGH^yGMbiM cepaep. 3a /itodyio HaerpoMKy cepaepa 

3AKA3HMKA, ni/i6o CKpnnTOB Ha hgm - BSbiMaeTCB nnara b 
pasMGpe 50 USD/sa 1 nac padoTbi a/^MMHMCTparopa 

l/ICnO/IHI/ITE/lfJ no BatuGMy Bonpocy, Mi/iHi/iMyM non naca. 
rionHoe aflMi/iHi/icTpi/ipoBaHi/ie cepBopa cnei^i/iani/icTaMi/i 

MCnO/lHMTE/lfl CTOHT 250 USD b Mecn^. 

EecnnaTHO ocymecTanneTcn nepesarpysKa cepaep (ecni/i 

HOT 

aBTOMaTi/iHGCKOH 0opMbi flnn aroro). 

3.4. B cnyHae hg onnarbi ycnyr 3AKA3HMK0M b nocne/^HMM 
/^GHb 6i/inni/iHroBoro nepi/iofla, flaHHbie 3AKA3HMKA 



yfl.anfJK)TCfj no HacrynneHi/iK) HOBbix cyroK dea BoaeparHO. B 
cfiynae Bi/iprya/ibHoro xocTi/inra yfla/iBercB 

axKayHT i/i Bce daxanbi flanHoro aKKaynra, b cnynae apen^bi 
cepBepa (dedicated i/i/ii/i vps) cepaep CHi/iMaercB c 

o6cny>Ki/i Ban I/IB, 0opMaTi/ipyHDTCB /xecTKi/ie fli/iCKi/i. 

4. OTBETCTBEHHOCTb CTOPOH 
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4.1. 

l4CnO/1HI4TE/1b He necer OTBercTBeHMOCTM nepefl 
3AKA3HI4K0M m/im TperbMMM CToponaMM aa 

fiHDdbie aa/^ep/KKM, npepbiBaHMB, ymepd i/ini/i norepi/i, 
npoi/icxoflBuai/ie i/ia-aa: 

(a) /^ecpexTOB b /ihdOom a/ieKrpoHHOM i/ini/i MexaHi/inecKOM 
odopy/^OBaHi/iM, He npHHaM/ie/KameM l4CnO/1HMTE/1iO; 

(6) npod/ieM npi/i nepe/^ane flannbix i/ini/i coefli/iHeni/ii/i, 
npoi/iaoLuefliui/ix ne no anne l/ICnonhU/ITE/lP; 

(b) BcneflCTBi/ie oOcTOBre/ibCTB Henpeofloni/iMOH ci/inbi b 
odiifenpMHBTOM CMbic/ie, r.e. HpeaBbinanHbiMi/i ci/inaMi/i 

I/I HenpeflOTBpari/iMbiMH odcTOBre/ibCTBaMM, ne 
noflfie/Kami/iMi/i paayMHOMy kohtpo/iio; 

(r) flaB/ieni/ie B/iacren. 

4.2. ripi/i pacTop/KeHi/ii/i MoroBopa no i/iHi/mi/iari/iBe 
3AKA3HI/IKA, Hencno/ibaoBaHHaB nacTb aaaHca 3AKA3HI/IKy 



BOSBpaLuaercfj. 


4.3. 

MCnOJJHMTEJJb ocraB/ifieT sa co 6 oh npaao 
npHOCTaHOBHTb o 6 cjiy>KHBaHHe 3AKA3HMKA h/ih 

pacToprnyTb floroBop b deaycnoBHOM nopBflKe Sea 
BoaBpaiMCHHB cpeflCTB aaKaaHHKy b cneflyiomHx 
cnyHaBx: 

- paaMemenne abtckoh nopHorpa(pHH h aoo(pH/iHH b 
/ik) 6 om BHfle; 

- nonbiTKH BanoMa, HecaHKi^HOHnpoBaHHoro 
npoHHKHOBeHHB Ha cepaep, b aKKayHTbi flpyrnx 
K/tneHTOB, 

nonbiTKH nopHH odopyflOBaHHB hjih nporpaMMHoro 
odecneHBHHB; 

- nonbiTKH BanoMa npaBHTB/ibCTBBHHbix opraHnaai^HH 
modoM BHflB; 

- nonbiTKH cnaMa niodoro pofla c naujHx CBpaopoB 
BHpTya/IbHOrO XOCTHHra, KpOMB KaK HBpoa COKCbi; 

- nonbiTKH (pHUJHHra daHKOB (Kpax^a abhbt); 

- paaMBlMBHHB HH(pOpMai4HH nO TOprOB/IB OpyX<HBM H 
HapKOTHKaMH, ToproBJiB /iioflbMH H/iH opraHaMH 

nioflBH, BbiabiBaioiMHB MBx<Hai 4 HOHanbHyio h 
pB/iHTHoanyio poanb, npnabiBaiomyio k bohhb h 
H acH/iHio; 

- HBonpaBflaHHan noporpyaKa BbiHHC/iHTB/ibHbix 
MOIMHOCTBH CBpBBpa BHpTya/IbHOTO XOCTHHTa 



(flonycKaercf! 

HcnojtbsoBaTb He donee 5 % moimhocth npoi^eccopa h 
H e donee 128Md oneparHBHOH naMBTH cepBepa); 

- nonbiTKH BsnoMa c cepaepoB (dedicated h 
BH pryanbHbiH xocthhc) - cepaepbi, KOTopue 
pacnonon<eHbi 

pnflOM B CTOHKe, nndo KnneHTOB btoh x<e crpanbi, rfle 
pacnonoxcen cepaep; 

- ocKopdnenne b modon (popMe corpyflHHKOB cepBHca. 

4.4. l4CnO/1HI4TE/1b HQ OTBGHaeT 33 cofl,ep?KaHi/ie 
I/IH(popMa 141/11/1, pasMemaeMOM 3AKA3HI4K0M. 

4.5. MCnO/1HI4TE/1b He dyfler hgctm OTBeTCTBSHHOCTM 3a 
fiiodbie aarpaTbi i/ini/i ymepd, npBMO i/ini/i KOCBenno 

B03HMKLjjMe B peBy/ibTdTe i/icnonb30BaHi/iB ycnyri/i b 36 
xocTMHra. 

4.6. MoneyBack 3 a Bbi^e/ieHHbm cepaep BOBMO/Ken to/ibko b 
TOM c/iynae, ec/ii/i HeflocrynHOCTb ^aHHoro cepaepa 

npoi/icxofli/iT no ai/ine l/ICnOJlHI/ITEJlfi, aai/ifly Toro, hto 
l/ICnonhU/ITEflb onnani/iBaeM no/inyio ctommoctb cepaepa 

B JIlaTa-UeHTp. Tax/Ke aoBMO/KHa saMena cepaepa. 


4.7. 

PasMemenne canroB 3AKA3HMKA, peKnaMHpyeMbix 
SPAMom Ha cepaepax MCnOJIHMTEJiP (xax 


BHpraynbHoro xocTHHra, rax h dedicated) 
onnaHHBaercn OTflenbHO h 3 pacnera odbena nnceM. 



npH 

od-bGMax OT 5 m/ih no IOm/ih =1000 USD - 1500 USD b 
M ecftn 3a cepaep b Kurae h/ih roarKonre, nndo 150 
USD 

nene/iB h/ih 500 USD b Mecfm 3a BHpryanbHbiH 
xocTHHr, donee 10-20 Mnn. = 200 USD neflenn nmdo 
2000 $ 3a 
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BbineneHHbiH cepaep. 

4.8. l4CnO/1HMTE/1b o6fi3yeTCfi flenarb e>Kefl,HeBHbie 
pesepBHbie Koni/ii/i aKKayHra 3AKA3HMKA Ha CTopoHHi/iH 

cepaep (to/ibko ai/ipTya/ibHbiH xocti/iht). 


4.9. 

MCnOJJHMTEJJb odnayercn peinarb caMOCTonrenbHO 
Bce x<ano 6 bi (a 6 y 3 bi/abuse). He npHanexan k 

3 TOMy 3AKA3HMKA h 6 e 3 BMeiHarenbCTBa b naHHbie 
3AKA3HMKA. MCPOJJHMTEJJb He peinaer xcanodu 

(a 6 y 3 bi/abuse) or nonnnHH, Kpynnbix 
npaBHTenbCTseHHbix oprannaannH h VerSign. 

4.10. 

MCnO/!HI4TE/!b He naer Hi/iKaKi/ix rapaHTi/iH, hto noMen 
3AKA3HMKA He Oyfler saOnoKi/ipoBaH no 


/iHoObiM npi/iHi/inaM, a ocoOenno raxi/iM xax ntodon Bi/in 
SPAMa, fraud, phishing i/i r.n. 



5 . KOH0l/IMEHLI,l/IA/lbHAfi l/IH0OPMALlMfi 


5.1. CTopoHbi o6fi3yK)TCfi 6e3 oOotoflHoro cor/iacn^ ho 
nepe^aeaTb rperbi/iM ni/ii^aM ni/i6o Mcno/ibaoeaTb i/iHbiM 

cnocoOoM, He npeflycMorpeHHbiM yc/iOBi/ifiMi/i ^oroeopa, 
opraHi/i3aL4i/iOHHO-TexHonori/inecKynD, kommgp necKyna, 

(pMHaHCOByHD I/I l/IHytO l/IH 0 OpMaL 4 l/IHD, COCTaB/IBtOlUyHD COKper 
flfiB fiHDdoH 1/13 CTopoH (fla/iee - ''K 0 H(pi/ifl,eHi 4 i/ianbHaB 

i/iH(popMai 4 i/iB'') npi/i ycnoBi/ii/i, hto: 

- TaxaB i/iH(popMai4i/iB i/iMeer flencTBi/iTenbHyHD i/ini/i 
noTeHL4i/ia/ibHyfo KOMMepnecKyK) laennocTb b ci/iny ee 

Hei/l 3 BeCTH 0 CTI/l TpeTbMM /ll/IL 4 aM; 

- K TaKOM i/iH(popMai4i/ii/i HOT CBo6oflHoro floCTyna Ha 
aaKOHHOM ocHOBani/ii/i; 

- odnaflaTenb raKon i/iH(popMai4i/ii/i npi/ini/iMaer Hafl/ie/Kauai/ie 
Mopbi K odecneneHi/ito ee K0H(pi/ifleHi4i/ianbH0CTi/i. 

5.2. CropoHbi o 6 B 3 yHDTCB, 6 e 3 odoto/^Horo cornaci/iB, ne 
nepe/^aeaTb rperbi/iM ni/maM CBe/^eHMB o coflep/Kani/ii/i 

I/I ycnoBi/iBx MoroBopa. 


5.3. 

MCnOJJHMTEJJb o6fi3yeTCfi npeflOTspamaTb sanncb 
noroB Ha cepaepax enprya/ibHoro xocTHHra h 

MapujpyTH3HpyiomeM odopyflosaHHH. 

5.4. Eyflbre BHi/iMare/ibHbi, corpyflHi/iKi/i MCnO/!HMTE/!P ne 
aanpauji/iBaiOT naponi/i or aKKaynTOB Bi/iprya/ibHoro 



xocTMHra M Bbifle/iGHHbix cepBepoB. l/ICK/ifoneHMeM bb/ibotcb 
ci/irya 141/IB, Kor^a 3AKA3HI/IK npoci/iTb npoi/i3BecTi/i 

KaKi/ie-ni/160 padoTbi Ha ero Bbi/^e/ieHHOM Cepaepe. 
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Automatically translated Russian Business Network 
(RBN) Contractual Agreement/Contract: 

1. SUBJECT OF CONTRACT 

1 . 1 . 

Customer Requests, but ARTIST is committed to the 
placement and / or registration CUSTOMER virtual 

server on the Internet. 

2. CONDITIONS OF IMPLEMENTATION OF THE TREATY 

2.1. At the conclusion of this treaty ARTIST produces initial 
setup and configuration of the virtual server and 

provides the necessary information for CUSTOMER virtual 
server administration. 

2.2. ARTIST provides access to the Internet to the virtual 
server, as well as efficiency of all available services 

CUSTOMER day seven days a week. 

3. PRICES AND ORDER OF PAYMENT 

3.1. Cost and arrangements of works under this contract at 
the time of its conclusion is determined in accor- 


dance with existing conditions, the staff distributed by E-Maii 
and/or ICQ. 

3.2. 

Payment is made ZAKAZCHIKOM as payment services 
support virtual web server ISPOLNITELEM. ARTIST 
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right to suspend the provision of services at a negative 
status of the account. 

3.3. All dedicated servers are provided in a position 
UNMANAGED ie ISPOLNITELYA administrators can, but not 

OBYAZANY tune rented server. For any server setup 
CUSTOMER or scripts on it - charge of $ 50 USD /for 1 hour 

administrator ISPOLNITELYA to your question, at least half an 
hour. The full server administration specialists 

ISPOLNITELYA worth USD 250 per month. Free done 
rebooting the server (if not automatic form for this). 

3.4. If no payment ZAKAZCFUKOM bill on the last day of the 
period, the data are removed CUSTOMER new of¬ 
fensive on days without reciprocating. In the case of virtual 
hosting account and removed all of your backups, in case the 
rental server (dedicated or vps) server is removed from 
service, formatted hard drives. 

4. RESPONSIBILITY OF PARTIES 

4.1. ARTIST no responsibility to ZAKAZCFUKOM or third 
parties for any delays, interruptions, damage or losses 



that occur because of: 


(a) defects in any electronic or mechanical equipment, not 
belonging ISPOLNITELYU; 

(b) problems in the transfer of data or connection that 
occurred through no fault ISPOLNITELYA; 

(c) due to force majeure circumstances, in the conventional 
sense, that is, nepredotvratimymi forces and emergency 

circumstances, not subject to reasonable control; 

(g) pressure from the authorities. 

4.2. At the dissolution of the Treaty on the initiative 
CUSTOMER, ZAKAZCHIKU unused portion of the advance 

is not refundable. 

4.3. ARTIST reserves the right to suspend or 
terminate CUSTOMER service contract in order 
without the un¬ 
conditional return of customer funds in the following 
cases: 

- Locating and zoofiiii child pornography in any form; 

- attempted burglary, unauthorized entry to the 
server, in the accounts of other customers, trying to 
dam¬ 
age equipment or software; 

- attempted burglary governmental organizations in 
any form; 



- spam attempts of any kind from our servers hosting 
virtuai except through SOCKS; 

- phishing attempts banks (steaiing money); 

- posting on the arms trade and drug trafficking, or 
human organs, causing inter-ethnic and reiigious dis¬ 
cord, caiiing for war and vioience; 

- unjustified computing power overioad virtuai server 
hosting (which is aiiowed to use no more than 5 % of 

CPU capacity, and no more than 128 MB of RAM 
server); 

- attempted burgiary of servers (and dedicated virtuai 
hosting) - servers, which are iocated next to the rack, 

a customer in the same country where the server; 

- insuiting to any form of service personnei. 

4.4. ARTIST is not responsible for the content of the 
information posted ZAKAZCHIKOM. 
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4.5. ARTIST shall not be liable for any costs or damages 
arising directly or indirectly from the use of Web hosting 
services. 

4.6. MoneyBack for dedicated server is possible only in case 
the inaccessibility of the fault occurs on the server 

ISPOLNITELYA, because ARTIST pay for the full cost of a 
server in Data Center. Also possible replacement server. 



4-7- 


Placing sites CUSTOMER advertised on servers 
iSPOLNiTELYA SPAM (as virtauinogo hosting, and dedi¬ 
cated) is charged separateiy at the rate of the voiume 
of ietters. With voiume of 5 miiiion to 10 miiiion USD 
= 1000 

-1500 USD per month for the server in China or Cong 
Kongo or 150 USD week, or 500 USD per month for a 
virtuai 

hosting, a 10-20 miiiion = 200 USD week, or $ 2000 
for a dedicated server. 

4.8. ARTIST undertakes to do daily backups CUSTOMER 
account for the third-party server (only virtual hosting). 

4.9. ARTiST undertakes to decide aii compiaints 
(abuzy / abuse), are not engaging in the CUSTOMER 
and 

without interference in the CUSTOMER data. ARTiST 
does not soive compiaints (abuzy / abuse) from the 
poiice, 

government organizations and major VerSign. 

4.10. ARTIST gives no guarantees that the domain 
CUSTOMER not be blocked for any reason, but especially 

like any kind of SPAM, fraud, phishing, etc. 

5. CONFIDENTIAL INFORMATION 

5.1. The Parties undertake without the unanimous consent 
not to transfer to third parties or used in any other 



way other than prescribed conditions Treaty, organizationai 
and technoiogicai, commerciai, financiai and other 

information, which is the secret to any of the parties 
(hereinafter - "confidentiai information"), provided that: 

- this information is actuai or potentiai commerciai vaiue by 
virtue of its unknown third parties; 

- to such information no free access to the iawfui; 

- ho ids such information shaii take appropriate steps to 
ensure its confidentiaiity 

5.2. The Parties undertake, without unanimous consent, not 
to transfer to third parties about the content and 

conditions of the Treaty. 

5.3. ARTIST undertakes to prevent logging on servers 
and virtual hosting routing equipment. 

5.4. 

Be carefui, do not require empioyees ISPOLNITELYA 
passwords from virtuai hosting accounts and dedi¬ 
cated servers. The exception is when CUSTOMER request to 
any work for his Vydeiennom Server. 

Excluding the direct offering of managed servers for spam 
sending in the actual agreement/contract, and the fact 

that their abuse department is virtually non-existent, the 
contact explicitly prohibits related malicious/fraudulent 

activity. Naturally, that's not the case when AbdAllah (VN) 
used to advertise its bulletproof hosting service across 



cybercrime-friendly communities, "back in the day": 
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In 2013, despite the overall availability of RBN-like 
bulletproof hosting providers, cybercriminals continue 
experi¬ 
menting with abusing legitimate infrastructure in an attempt 
to mitigate the risk of having their activities exposed. 

Various cases throughout the last couple of years include: 

• [5]Cybercriminals use Twitter, Linkedin, Baidu, MSDN as 
command and control infrastructure 

• [6]RSA: Banking trojan uses social network as command 
and control server 

• [7]Trojan.Whitewell: What's your (bot) Facebook Status 
Today? 

• [8]Twitter-based Botnet Command Channel 

• [9]Google Groups Trojan 

• [lOjZeus crimeware using Amazon's EC2 as command and 
control server 

The "best" is yet to come. 

This post has been reproduced from [llJDancho 
Danchev's blog. Follow him [12]on Twitter. 

1 . 

https://www. a oo a le.com/# bav=&q=site:ddanchev.blo as pot.c 
om-FRBN 







2 . 

httD://www.shadowserver.or a /wiki/uDloads/lnformation/RBN- 

AS4Q989. Ddf 

3. 

http://www.shadowserver.or a /wiki/uploads/lnformation/RBN_ 

Rizin a.odf 

4. httD://ddanchev.blo as Dot.com/2008/Ql/rbns-fake-account- 
susDended-notices.html 

5. 

httD://www.zdnet.com/blo a /securit v/c vbercriminals-use- 
twitter-l inked in-baidu-msdn-as-command-and-control- 


infrastructure/11210 

6. httD://www.zdnet.com/blo a /securitv/rsa-bankin a -tro i an- 
uses-social-network-as-command-and-control-server/6 

877 


7. httD://www.svmantec.com/connect/blo a s/tro i anwhitewell- 
what-s-vour-bot-facebook-status-toda v 

8. httD://www.arbornetworks.com/asert/2009/08/twitter- 
based-botnet-command-channel/ 

9. httD://www.svmantec.com/connect/blo as/aooale-g rouDS- 
troian 

10. http://www.zdnet.com/blo a /securitv/zeus-crimeware- 
usin a -amazons-ec2-as-command-and-control-server/5110 

11. httD://ddanchev.blo as Dot.com/ 

12. http://twitter.com/danchodanchev 













































Spamvertised 'Confirmed Facebook Friend Request' 
Themed Emails Serve Client-Side Exploits 

(2013-08-15 14:03) 

A currently circulating malicious spam campaign, entices 
users into thinking that they've received a legitimate ' Friend 
Confirmation Request on Facebook. In reality thought, the 
campaign attempts to exploit client-side vulnerabilities, 

[1]CVE-2010-0188 in particular. 

Client-side exploits serving URL: 

hxxp .-//face book. com. n. find- 

friends. iindoiiveryct. net: 8 0/news/face bo 

ok-onetime.php ?dpheeixa=li:30:li:l g:l j 

&pkvby=h &rzuhhh=lh:33:lo:2v:32:lo:2v:lo:lj:lm 
&ycxicvr=l f:ld:l f:ld:l f:l d:lf 

Detection rate for the malicious PDF: [2]MD5: 
39326c9a2572078c379eb6494dc326ab - detected by 3 
out of 

45 antivirus scanners as PDF/Blacole-FAA!39326C9A2572; 
Exploit:Win32/CVE-2010-0188; Exploit.Seript.Pdfka.btvxj 

Domain name reconnaissance: 

facebook.com.n.find-friends.Iindoiiveryct.net - 

66.230.163.86; 95.111.32.249; 188.134.26.172 - Email: 
zsuper- 


cats(g)yahoo.com 

Responding to the same IPs (66.230.163.86; 
95.111.32.249; 188.134.26.172) are also the followig 
malicious 

domains: 

actiry.com - Email: stritton@actiry.com 
askfox.net - Emai: bovy@asl<fox.net 
bnamecorni. com 

briltox.com - Email: lyosha@briltox.com 

conclalinneuwu37.net 
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condrskajaumaksaGG. net 
cyberflorists.su - Email: mipartid@gmx.com 
evishop.net - Email: hardwicke@evishop.net 
exnihujatreetrichmand77.net 
gondorskiedelaahuetebanJ88.net 
gotoraininthecharefare88. net 

liliputttt9999.info - Email: dolgopoliy.alexei@yandex.ru 
lucams.net - Email: renault@lucams.net 
micnetworkl00.com - Email: 3G9258wq@sina.com 
musicstudioseattle.net- Email: rexonal948@live.com 



nvufvwieg.com - Email: 369258wq@sina.com 

partyspecialty.su - Email: miparticl@gmx.com 

pinterest. com. onsayoga. net 

quill, com.account.settings, musicstudioseattie. net 

seoworkblog.net - Email: mendhamnewjersey@linuxmail.org 

seoworkblog.net 

tigerdirect. com.secure, orderlogin.asp. palmer-ford, net 
tor-connect-secure.com - Email: 369258wq@sina.com 
vip-proxy-to-tor. com 

Name servers used in these campaigns: 

Name Server: NS1.TEMPLATESWELL.NET - 94.249.254.48 - 
Email: freejob62@rocketmail. com 

Name Server: NSl.THEGALAXYATWORK.COM - 94.249.254.48 

- Email: samyideaa@yahoo.com 

Name Server: NS1.M0BILE-UNL0CKED.NET - 91.227.220.104 

- Email: usalifecoach47@mail.com 

Name Server: NS2.M0BILE-UNL0CKED.NET - 32.100.2.98 

Name Server: NS1.KNEESLAPPERZ.NET 

Name Server: NS1.MEDUSASCREAM.NET - 37.247.108.250 - 
Email: m _mybad@yahoo.com 

Name Server: NS1.CREDIT-FIND.NET-194.209.82.222 - 
Email: mendhamnewjersey@linuxmail.org 



Name Server: NS1.G0NULPALACE.NET -194.209.82.222 - 
Email: mitinsider@Hve.com 

Name Server: NS1.NAMASTELEARNING.NET - 93.178.205.234 
- Email: minelapse2001@outlool<.com 

Name Server: NS2.NAMASTELEARNING.NET- 205 . 28 . 29.52 

The following malicious MD5s are also known to have 
phoned back to the same IPs/were downloaded from 

the same IPs in the past: 

MD5: e08c8ed751 a3fc36bc966e4 7b 76e2863 
MD5: f507b822651 d2fbc82a98e4cc7f735a2 
MD5: e08c8ed751 a3fc36bc966e4 7b 76e2863 
MD5: f88d6a7381 cObbaclbl558533cfdfd62 
MD5:11be39e64c9926ea39e6b2650624dab4 
MD5: ea893fb04cc536ff692cc3177db7e66f 
MD5: c8f8b4c0fced61 f8a4d3b2854279b4ef 
MD5: 93bae01631 dl 0530a 7bac7367458abea 
MD5: 199b8cf0ffd607787907b68c9ebecc8b 
MD5: 6b 1 bef6fb45f5c2d8b46a6eb6a2d5834 
MD5: 9eb6ed284284452f7ale4e3877dded2d 
MD5: efacflc2c6b33f658c3df6a3edl70e2d 


MD5: 7c70d5051826c9c93270b8c7fc9d276f 



MD5: dcb378d6033eed2e01ff9ab8936050a0 


MD5: 8556f98907fd74be9a9clb3bf602f869 
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This post has been reproduced from [3]Dane ho 
Danchev's blog. Follow him [4]on Twitter. 

1. httDs://cve.mitre.or a/ca i-bin/cvename.c a i?name=CVE- 
2010-0188 

2 . 

https://www.virustotal.CQm/en/file/667fc839167456a70f22cf 

5c6ef8f0291cl4el399374219469f56472251ec58af/anal vs 

is/1376565463/ 

3. http://clclanchev.blQ as pot.com/ 

4. http://twitter.com/clanchoclanchev 

363 




Spamvertised 'Confirmed Facebook Friend Request' 
Themed Emails Serve Client-Side Exploits 

(2013-08-15 14:03) 

A currently circulating malicious spam campaign, entices 
users into thinking that they've received a legitimate ' Friend 
Confirmation Request on Facebook. In reality thought, the 
campaign attempts to exploit client-side vulnerabilities, 

[1]CVE-2010-0188 in particular. 

Client-side exploits serving URL: 












hxxp://facebook. com. n. find- 

friends. lindoliveryct net:80/news/facebo 

ok-onetime.php ?dpheelxa=11:30:11:1 g:l j 

&pkvby=h &rzuhhh=lh:33:lo:2v:32:lo:2v:lo:lj:lm 
&ycxlcvr=l f:ld:l f:ld:l f:ld:lf 

Detection rate for the malicious PDF: [2]MD5: 
39326c9a2572078c379eb6494dc326ab - detected by 3 
out of 

45 antivirus scanners as PDF/Blacole-FAA!39326C9A2572; 
Exploit:Win32/CVE-2010-0188; Exploit.Script.Pdfka.btvxj 

Domain name reconnaissance: 

facebook.com.n.find-friends.lindoliveryct.net - 

66.230.163.86; 95.111.32.249; 188.134.26.172 - Email: 
zsuper- 

cats(g)yahoo.com 

Responding to the same IPs (66.230.163.86; 
95.111.32.249; 188.134.26.172) are also the followig 
malicious 

domains: 

actiry.com - Email: stritton@actiry.com 
askfox.net - Emai: bovy@askfox.net 
bnamecorni. com 

briltox.com - Email: lyosha@briltox.com 


condalinneuwu37.net 



364 


condrskajaumaksa66. net 
cyberflorists.su - Email: mipartid@gmx.com 
evishop.net - Email: hardwicl<e@evishop.net 
exnihujatreetrichmand77.net 
gondorskiedeiaahuetebanJSS.net 
gotoraininthecharefareSS. net 

liliputttt9999.info - Email: dolgopoliy.alexei@yandex.ru 
lucams.net - Email: renault@lucams.net 
micnetworklOO.com - Email: 369258wq@sina.com 
musicstudioseattle.net- Email: rexonal948@live.com 
nvufvwieg.com - Email: 369258wq@sina.com 
partyspecialty.su - Email: mipartid@gmx.com 
pinterest. com. onsayoga. net 
quill, com.account.settings.musicstudioseattie. net 
seoworkblog.net - Email: mendhamnewjersey@linuxmail.org 
seoworkblog.net 

tigerdirect. com.secure, orderlogin.asp. palmer-ford, net 
tor-connect-secure.com - Email: 369258wq@sina.com 
vip-proxy-to-tor. com 



Name servers used in these campaigns: 


Name Server: NSl.TEMPLATESWELLNET- 94.249.254.48 - 
Email: freejob62@rocl<etmail. com 

Name Server: NSl.THEGALAXYATWORK.COM - 94.249.254.48 

- Email: samyideaa@yahoo.com 

Name Server: NS1.M0BILE-UNL0CKED.NET - 91.227.220.104 

- Email: usalifecoach47@mail.com 

Name Server: NS2.M0BILE-UNL0CKED.NET - 32.100.2.98 

Name Server: NS1.KNEESLAPPERZ.NET 

Name Server: NS1.MEDUSASCREAM.NET - 37.247.108.250 - 
Email: m _mybad@yahoo.com 

Name Server: NS1.CREDIT-FIND.NET-194.209.82.222 - 
Email: mendhamnewjersey@linuxmail.org 

Name Server: NS1.G0NULPALACE.NET-194.209.82.222 - 
Email: mitinsider@live.com 

Name Server: NS1.NAMASTELEARNING.NET - 93.178.205.234 

- Email: minelapse2001@outlool<.com 

Name Server: NS2.NAMASTELEARNING.NET- 205 . 28 . 29.52 

The foiiowing maiicious MD5s are aiso known to have 
phoned back to the same iPs/were downioaded from 

the same iPs in the past: 

MD5: e08c8ed751 a3fc36bc966e4 7b 76e2863 
MD5: f507b822651 d2fbc82a98e4cc7f735a2 



MD5: e08c8ed751 a3fc36bc966e4 7b 76e2863 
MD5: f88d6a7381 cObbaclbl558533cfdfd62 
MD5:11be39e64c9926ea39e6b2650624dab4 
MD5: ea893fb04cc536ff692cc3177db7e66f 
MD5: c8f8b4c0fced61 f8a4d3b2854279b4ef 
MD5: 93bae01631 dl 0530a 7bac7367458abea 
MD5: 199b8cf0ffd607787907b68c9ebecc8b 
MD5: 6b 1 bef6fb45f5c2d8b46a6eb6a2d5834 
MD5: 9eb6ed284284452f7ale4e3877dded2d 
MD5: efacflc2c6b33f658c3df6a3edl70e2d 
MD5: 7c70d5051826c9c93270b8c7fc9d276f 
MD5: dcb378d6033eed2e01ff9ab8936050a0 
MD5: 8556f98907fd74be9a9clb3bf602f869 
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Updates will be posted as soon as new developments take 
place. 

1. httDs://cve.mitre.or a/ca i-bin/cvename.c a i?name=CVE- 
2010-0188 

2 . 

httDs://www.vi rustotal.com/en/flle/667fc839167456a70f22cf 

5c6ef8f0291d4el399374219469f56472251ec58af/anal vs 


is/1376565463/ 
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The Cost of Anonymizing a Cybercriminai's internet 
Activities - Part Three (2013-08-21 20:57) 

Over the years, I've been persistently highlighting the abuse 
of compromised hosts as either 'stepping stones', 

or as the primary facilitators for 'island hopping' campaigns, 
empowering those using them with the necessary 

non-attributable 'know-how' to not just anonymize their 
Internet activities, but also, engineer cyber warfare tensions. 

The utilization of hacked/compromised hosts/PCs as 'island 
hopping' points, or as 'stepping stones', continues 

to take place in 2013, with more managed cybercrime- 
friendly services offering access to compromised hosts 

located virtually all over the World, access to which can be 
bought in a cost-effective manner, thanks to the available 

discounts or price discrimination schemes. 

Catch up with previous research on the topic: 

• [l]The Cost of Anonymizing a Cybercriminal's Internet 
Activities 

• [2]The Cost of Anonymizing a Cybercriminal's Internet 
Activities - Part Two 

• [3]Cybercriminals SQL Inject Cybercrime-friendly Proxies 
Service 

• [4]Malware Infected Hosts as Stepping Stones 



• [5]Hacked PCs as 'anonymization stepping-stones' service 
operates in the open since 2004 

• [6]'Mai ware-infected hosts as stepping stones' service 
offers access to hundreds of compromised U.S based 

hosts 

• [7]New service converts malware-infected hosts into 
anonymization proxies 

What has changed over the years? Is the once thought the 
be the future of anonymization for cybercrime-friendly 

activities, 'proxy chaining' - think chaining of connections 
between multiple malware-infected hosts - still relevant 

today? Or was the concept largely replaced by log and data 
retention free cybercrime-friendly VPN providers, that 

continue popping up on everyone's radar? 

Since 2010, a HTTPS-supporting, DIY multiple gates 
application (proxy which can be a Socks 4/Socks 5 compro¬ 
mised host given it has been properly configured for the 
purpose) managing, Man-in-the-Middle "attack" performing 

- in order to randomize for anonymization purposes - 
cookie/headers modifying of the requests performed through 

the "chaining" of compromised hosts/servers, has been 
commercially available for cybercriminals to take advantage 
of. 

Let's take a close look at this state of the art gate/proxy 
chaining cybercrime-friendly application. 



Sample screenshots of the application's interface: 
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The application's author is also known to have been released 
custom builds for various cybercrime-friendly forums: 
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Some of its core features include: 

[+] HTTPS support for php-gates, needs OpenSSL 

[+] Ability to set a password on the gate. 

[+] Ability to work with a gate, through any procs (HTTP (S), 
SOCKS4, SOCKS5). 

[+] Working with gated exclusively via the method GET, 
which provides protection from detection by the log files on 


the server. 


[+] Ability to set Cookies, transferred during handling to the 
gate. This is useful for hiding the code in the files of the site 
gate. Format: "cookie = value; cookie2 = 

[+] Processing of each compound is in a separate stream. 

[+] Ability to unlimited downloads and uploads of large files 
(in case of inability to bypass restrictions set _time Jim it () 
can download files in a few times, provided support to 
resume from the target server). 

[+] Preprocessing mechanism optimizes queries under HTTP 
1 . 0 . 

[+] The presence of an encryption key must be specified 
(purely symbolic encryption to hide traffic from prying eyes), 
and all data, including the password for the gate are 
transmitted in encrypted form. Enable / disable the 
encryption 

does not require editing the code gate. 

[+] Ability to work with several gates. In this case, each 
assigned a specific gated User-Agent (assigned by chance) 

that does not allow the target site to link together the 
requests from different gates. 

[-h] Ability to add a request to the target site header X- 
Forwarded-For, X-Real-lp and Via with random IP-addresses 
(in this case, sites that use mechanisms for determining the 
visitor's iP address on these titles or used mod jealip, will 
benefit from logging bogus addresses, as these headlines 
mislead the site administrator). 

[-h] Ability to select the interface to listen to. 



[+] More statistics on network connections, there are 
different ieveis of profiiing queries (and no iogs are written to 
the fiie). 

[+] Support chains gates. 

[+]-Chain of 3 modes: 

- Direct sequence (traffic passes through a series of gates 
that you cieariy stated) 
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- Random chain (each request is passed through a randomiy 
buiids a chain of gates) 

- Casuai chain with specific output gate time (simiiar to the 
previous mode, except that the finai gate remains constant. 

[+] Abiiity to speed up surfing through the chain by iocai 
caching iP-addresses. 

[+] Support for HTTPS gates are not independent of their 
number. 

[+] Using a cascade encryption - the abiiity to use any 
number of gates with different encryption keys. 

[+] Buiit-checker gates. 

[+] You can check aii the gates at once, or each gate 
individuaiiy when adding / editing. 

[+] Bui it-in gates. 

[-h] Abiiity to insert code in the gate pre-generated tabie of 
permutations. This eiiminates the need to store the 



encryption key directly to the Gate, and generate a table for 
each access to the gate. 

[+] Automate the process of creating a masked gate with 
Cookies 

[+] Ability to delete from the code perevodoa lines and tabs. 

[+] Ability to set proivolnyh request headers. 

[+] Ability to define hosts, which will be sent to a specific 
heading. 

[+] Ability to temporarily activate / deactivate a specific 
heading. 

[+] Gain Control key to 2048 bits (256 bytes) using md5 

[+] Complete independence from each other bytes (including 
the order of the bytes and encrypted block length). 

[+] The variable number of rounds of permutations, 
depending on the key. 

[+] Partly salt as XOR'a-byte hash key. 

With the ease of assessing a malware-infected host's 
bandwidth thanks to the overall availability of such an 

option among the most popular managed services offering 
access to such hosts, it shouldn't be surprising to consider 

that a potential cybercriminal using this application, would 
be in a perfect position to create - [8]in a DIY fashion 

- a stable anonymous network, to further assist him on his 
way to achieve his fraudulent or purely malicious objectives. 



The bottom line? What's the cost of anonymizing a 
cybercriminal's Internet activities? 1,900 rubles or $57.53 

for the application, in this particular case. 

This post has been reproduced from [9]Dane ho 
Danchev's blog. Follow him [10]on Twitter. 

1. httD://clclanchev.blo as DOt.com/2008/10/cost-of- 
anonvmizin a-c vbercriminals.html 

2. http://clclanchev.blo as pot.eom/2009/02/cost-of- 
anonvmizin a-c vbercriminals.html 

3. httD://clclanchev.blo as Dot.com/2010/07/cvbercriminals-sa l- 
ini ect-cvbercrime.html 

4. httD://clclanchev.blo as Dot.com/2008/02/malware-infectecl- 
hosts-as-ste D Din a .html 

5. httD://blo a .webroot.com/2013/03/20/hackecl-DCS-as- 
anonymization-ste D Din a -stones-service-ooerates-in-the-O D 

en-since-2004/ 

6. httD://blo a .webroot.com/2013/08/02/malware-infectecl- 
hosts-as-ste o Din a -stones-service-offers-access-to-hun 

dreds-of-comDromised-u-s-based-hosts/ 

7. httD://blo a .webroot.com/2012/03/02/new-service-converts- 
malware-infected-hosts-into-anonymization-oroxies/ 

8. httD://blo a .webroot.com/ta a /di v/ 

9. httD://ddanchev.blo as DOt.com/ 

10. httD://twitter.com/danchodanchev 
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Vendor of Scanned Fake IDs, Credit Cards and Utility 
Bills Targets the French Market Segment 

(2013-08-22 18:19) 

Continuing the series of blog posts detailing the very latest 
efficiency/q ua I ity/sca I ability/universal business concepts 

oriented underground market propositions for fake IDs, credit 
cards and utility bills, in this post I'll discuss an example of 
market segmentation in terms of supplying them, through an 
ad targeting potential cybercriminals based in France, 

or international cybercriminals wanting to enter the French 
market. 

Catch up with previous research on the topic: 

• [l]Newly Launched 'Scanned Fake Passports/IDs/Credit 
Cards/Utility Bills' Service Randomizes and Generates 

Unique Fakes On The Fly 

• [2]A Peek Inside the Russian Underground Market for Fake 
Documents/IDs/Passports 

What's so special about this underground market proposition, 
anyway? It's the market segmentation taking place 

through the eyes of the vendor, as well as the diversity of 
scanned .PSD Photoshop templates, the non-modifiable 

scanned documents, and the actual availability of physical 
fake IDs, all of them exclusively targeting the French 


market segment. 



Sample screenshot of the advertisement: 
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There are several types of vendors contributing to the 
currently mature state of the market for fake IDs/documents, 

or to the cybercrime ecosystem in general. Let's discuss the 
most popular types of market players. 

Among the rarest type of such vendors is the experienced 
one who tends not to advertise at public or com¬ 
mercially accessible cybercrime-friendly communities. 
Although it would seem fairly logical to assume that the 

applied OPSEC (Operational Security) would be directly 
proportional with the decrease in processed orders since it 

would limit the visibility of his services within the cybercrime 
ecosystem, that's not necessarily the case when quality, 

experience, sophisticated, and, of course, high profit margins 
based on perceived value come into play. In between 

the lack of mass advertisements, the vendor would also not 
list his contact details, and would only do business with cy¬ 
bercriminals with proven reputation within not just the 
community in question, but also, across the entire 
ecosystem. 

Next are those vendors who'd sacrifice OPSEC, for the sake of 
reaching as many customers as possible in an 


attempt to monetize this market 'touch point' with other 
prospective cybercriminals. They advertise on public 

and on commercially accessible cybercrime-friendly 
communities, usually have a decent reputation, with 
generally 

positive feedback from their customers, and of course, never 
fail to 'deliver' what they pitch. 
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There's yet another type of such vendors, worth discussing. 
It's those who 'populate' a newly launched community with 
their propositions, and most often target novice 
cybercriminals with zero understanding of cybercrime 

ecosystem reputation dynamics, who are still looking to 
purchase this desired, but largely commoditized 
underground 

market good. 

With more vendors of fake IDs/documents popping up across 
the entire ecosystem, the series of blog posts 

profiling their activities, are prone to expand. 

This post has been reproduced from [3]Dane ho 
Danchev's blog. Follow him [4Jon Twitter. 

1. httD://ddanchev.blo as DOt.com/2013/Q7/newlv-launched- 
scanned-fake.html 

2. httD://ddanchev.blo as DOt.com/2013/05/a-Deek-inside- 
russian-under a round.html 


3. httD://ddanchev.blo as DOt.com/ 













4. httD://twitter.com/danchodanchev 
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Vendor of Scanned Fake IDs, Credit Cards and Utility 
Bills Targets the French Market Segment 

(2013-08-22 18:19) 

Continuing the series of blog posts detailing the very latest 
efficiency/quality/scalability/universal business concepts 

oriented underground market propositions for fake IDs, credit 
cards and utility bills, in this post I'll discuss an example of 
market segmentation in terms of supplying them, through an 
ad targeting potential cybercriminals based in France, 

or international cybercriminals wanting to enter the French 
market. 

Catch up with previous research on the topic: 

• [l]Newly Launched 'Scanned Fake Passports/IDs/Credit 
Cards/Utility Bills' Service Randomizes and Generates 

Unique Fakes On The Fly 

• [2]A Peek Inside the Russian Underground Market for Fake 
Documents/IDs/Passports 

What's so special about this underground market proposition, 
anyway? It's the market segmentation taking place 

through the eyes of the vendor, as well as the diversity of 
scanned .PSD Photoshop templates, the non-modifiable 

scanned documents, and the actual availability of physical 
fake IDs, all of them exclusively targeting the French 



market segment. 

Sample screenshot of the advertisement: 
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There are several types of vendors contributing to the 
currently mature state of the market for fake IDs/documents, 

or to the cybercrime ecosystem in general. Let's discuss the 
most popular types of market players. 

Among the rarest type of such vendors is the experienced 
one who tends not to advertise at public or com¬ 
mercially accessible cybercrime-friendly communities. 
Although it would seem fairly logical to assume that the 

applied OPSEC (Operational Security) would be directly 
proportional with the decrease in processed orders since it 

would limit the visibility of his services within the 
cybercrime ecosystem, that's not necessarily the case when 
quality, 

experience, sophisticated, and, of course, high profit 
margins based on perceived value come into play. In 
between 

the lack of mass advertisements, the vendor would also not 
list his contact details, and would only do business with cy¬ 
bercriminals with proven reputation within not just the 
community in question, but also, across the entire 
ecosystem. 


Next are those vendors who'd sacrifice OPSEC, for the sake 
of reaching as many customers as possible in an 

attempt to monetize this market 'touch point' with other 
prospective cybercriminals. They advertise on public 

and on commercially accessible cybercrime-friendly 
communities, usually have a decent reputation, with 
generally 

positive feedback from their customers, and of course, never 
fail to 'deliver' what they pitch. 
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There's yet another type of such vendors, worth discussing. 
It's those who 'populate' a newly launched community with 
their propositions, and most often target novice 
cybercriminals with zero understanding of cybercrime 

ecosystem reputation dynamics, who are still looking to 
purchase this desired, but largely commoditized 
underground 

market good. 

With more vendors of fake IDs/documents popping up across 
the entire ecosystem, the series of blog posts 

profiling their activities, are prone to expand. 

1. httD://ddanchev.blo as Dot.com/2013/07/newlv-launched- 
scanned-fake.html 

2. httD://ddanchev.blo as DOt.com/2013/05/a-Deek-inside- 
russian-under a round.html 
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The Cost of Anonymizing a Cybercriminal's Internet 
Activities - Part Four (2013-08-23 17:16) 

Continuing the " The Cost of Anonymizing a Cybercriminai's 
Internet Activities" series, in this post, I'll profile an API- 
supporting, blackhat SEO-friendly vendor of anonymization 
services, which is currently offering hundreds of 

thousands of compromised SSH accounts, HTTP/HTTPs 
based (compromised) proxies, and the ubiqutous for the 

cybercrime ecosystem. Socks 4/5 servers. 

Catch up with related research on the topic: 

• [l]The Cost of Anonymizing a Cybercriminal's Internet 
Activities - Part Three 

• [2]The Cost of Anonymizing a Cybercriminal's Internet 
Activities 

• [3]The Cost of Anonymizing a Cybercriminal's Internet 
Activities - Part Two 

• [4]Cybercriminals SQL Inject Cybercrime-friendly Proxies 
Service 

• [5]Malware Infected Hosts as Stepping Stones 

• [6]Hacked PCs as 'anonymization stepping-stones' service 
operates in the open since 2004 

• [7]'Malware-infected hosts as stepping stones' service 
offers access to hundreds of compromised U.S based 


hosts 


• [8]New service converts malware-infected hosts into 
anonymization proxies 

The service is currently offering access to 180,331 
compromised SSH accounts, 9597 HTTP/HTTPS 
proxies, and 

110,185 (compromised) Socks servers located virtually 
all over the World. 

How are they gaining access to this accounting data in the 
first place? Despite the overall availability of brute¬ 
forcing tools, in 2013, one of the most popular tactic for 
obtaining stolen/compromised accounting data, remains the 

practice of 'data mining' a botnet's already infected 
'population' for virtually anything kind of accounting data, 
to be 

later on monetized through multiple distribution/abuse 
channels. 

Sample screenshots of the anonymization service: 
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Sample screenshots of the API in action: 
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What's also worth emphasizing on is the fact, that, the 
service is not just targeting potential cybercriminals 
wanting to anonymize their Internet activities, but also, 
[9]black hat SEO monetizers, who now have access to 
hundreds of 

thousands of fresh Socks servers for the purpose of abusing 
them on their way to monetize their fraudulent/malicious 

campaigns. 

[lOjVertical market integration, or the one-stop-shop 
market model, has always been an inseparable part of 

the cybercrime ecosystem, as it increases the probability 
that a cybercriminal's one-stop-shop would immediately 

occupy a larger market share within the cybercrime 
ecosystem, consequently resulting in more revenue from the 

facilitation of fraudulent and malicious activity. 

Some of the most popular instances of this trendy business 
concept applied by cybercriminals internationally, 

include but are not limited to the following real-life 
underground market propositions: 


• A vendor of [ll]mobile spamming services would not 
only offer the actual spamming process, but also, of¬ 
fer harvested mobile mobile numbers as a value-added 
service, next to the on demand harvesting of mobile 

numbers for any given geographical region. 

• A vendor of [12]managed spam services, would also 
offer the option to buy segmented and geolocated, as well 

as often validated, email addresses, with the ability to 
perform custom harvesting for any given country 

• A [13]vendor of managed iFraming platform would 
also offer access to hijacked traffic to be automatically 

converted to malware-infected hosts through the platform, 
with additional services including as for instance, 

managed crypting of the iFrame/malicious script in real-time 

• An [14]author of Web malware exploitation kit, 

would be also offering managed iFrame/script crypting 
services 

next to bulletproof hosting in case the customer desires 
those 

The cost of anonymizing a cybercriminal's Internet activities 
in this particular case? The price is shaped based on the 

anonymization method of choice. 

This post has been reproduced from [15]Dancho 
Danchev's blog. Follow him [16]on Twitter. 



1. httD://ddanchev.blo as DOt.com/2013/08/the-cost-of- 
anonvmizin g-c vbercriminals.html 

2. httD://ddanchev.blo as DOt.com/2008/10/cost-of- 
anonvmizin g-c vbercriminals.html 

3. httD://ddanchev.blo as DOt.com/2009/02/cost-of- 
anonvmizin g-c vbercriminals.html 

4. httD://ddanchev.blo as DOt.com/2010/07/cvbercriminals- 
sa l-in i ect-cvbercrime.html 

5. httD://ddanchev.blo as DOt.com/2008/02/malware-infected- 
hosts-as-ste p pin a .html 

6. http://blo a .webroot.eom/2013/03/20/hacked-pcs-as- 
anonvmization-ste p pin a -stones-service-ooerates-in-the-o p 

en-since-2004/ 

7. http://blo a .webroot.eom/2013/08/02/malware-infected- 
hosts-as-ste o pin a -stones-service-offers-access-to-hun 

dreds-of-comoromised-u-s-based-hosts/ 

8. http://blo a .webroot.eom/2012/03/02/new-service- 
converts-malware-infected-hosts-into-anonvmization- 
oroxies/ 

9. http://ddanchev.blo as pot.eom/2013/04/whats-roi-on- 
a oin a -to-virtual-blackhat.html 

10. http://blo a .webroot.eom/2013/01/08/black-hole-exploit- 
kit-authors-vertical-market-inte a ration-fuels- g rowt 


h-in-malicious-web-activit v/ 

























































11. httD://blo a .webroot.com/2012/05/07/mana a ed-sms- 
S Dammin a -services- a oin a -mainstream/ 

12. httD://blo a .webroot.com/2012/05/17/a-Deek-inside-a- 
mana a ed-spam-service/ 

13. http://blo a .webroot.eom/2013/06/03/compromised- 
ft ossh-account-orivile a e-escalatin a -mass-iframe- 
embeddin a- 

olatform-released-on-the-under g round-marketplace/ 
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14. http://blo a .webroot.eom/2013/01/08/black-hole-exploit- 
kit-authors-vertical-market-inte a ration-fuels- g rowt 

h-in-malicious-web-activit v/ 

15. http://ddanchev.blo a5 POt.com/ 

16. http://twitter.com/danchodanchev 
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Cybercriminals Offer High Quality Plastic U.S Driving 
Licenses/University ID Cards (2013-08-29 02:26) 

Continuing the series of blog posts profiling the most recent 
underground market propositions for high quality fake 

passports/IDs/documents, in this post, I'll emphasize on a 
cybercrime-friendly vendor that's exclusively targeting the 

U.S market. 

Go through previous research into the market for 
fake passports/IDs/documents: 



































• [l]Newly Launched 'Scanned Fake Pass ports/IDs/C red it 
Cards/Utility Bills' Service Randomizes and Generates 

Unique Fakes On The Fly 

• [2]A Peek Inside the Russian Underground Market for Fake 
Docu ments/l Ds/Passports 

• [3]Vendor of Scanned Fake IDs, Credit Cards and Utility 
Bills Targets the French Market Segment 

Offering fake plastic driving licenses for over 25+ U.S 
States, including student IDs for major U.S Universities for a 
static price of $150, the vendor not just currently 
outperforms competing vendors in terms of quality in this 
particular market segment - within the cybercrime-friendly 
community in question - but also, is already receiving 
recommendations 

from other cybercriminals to raise the price of his 
underground market 'asset', indicating penetration pricing 
in action. 

Payment methods accepted? Bitcoin, Western Union and 
Moneygram. 

Sample underground market ad: 

[VENDOR'S NAME REDACTED] has over 25+ states on tap, 
along with 'secondaries' to offer, all of of which and are 

high quality, meaning instate without issue, in most cases. 
All IDs contain UV (where applicable as some states don't), 
multispec-hologram, 1D/2D barcode and/or magstripe that 
will scan/swipe to read DMV/AAMVA license standard. 



The vendor is requiring the following data from his 
potential customers: 

Name - First, Ml, Last 

Address 

DOB 

Sex 

Hair Coior 
Height 
Weight 
Eye coior 

Driver License number - if a number isn't provided one wiii 
be randomiy generated 

Endorsements and/or Restrictions - if not inciuded these wiii 
be ieft biank 

Scanned signature - if not provided you wiii receive a 
generic font signature 

*****More\Less info may be required depending on the state 
requested 

Scanned passport picture - no webcam pictures can be 
accepted. 

If you cannot get a real passport picture and have a decent 
camera, piease take a pic from the chest up against a 



white background/drywall with the flash 'ON', i will handle 
the cropping aspect. Also try to have good lighting and 

when scanning use high resolution. You may also upload a 
signature. I ask that this be written using a black sharpie 

style pen to achieve the best results. 
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You may upload this info to sendspace.com or the file¬ 
sharing site of your choosing and forward me the down¬ 
load link. I wiii confirm reception via emaii and you order 
wiii begin processing. Aii IDs are 150USD with incentive 

to group buys. Payment can be made via BTC, WU, 
Moneygram. Payment wiii be coiiected upon compietion and 

approvai of your order. 

Sample screenshots of the service's current 
'inventory': 
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The market for fake passports/IDs/documents is prone to 
flourish, as more cybercriminals demand both, scanned, 

and plastic fake IDs to be later one abused in related 
fraudulent schemes. Naturally, the market is quick to 
supply, and 

those who excel in their Operational Security and quality of 
the underground market 'assets', will begin occupying a 

decent market share within this underground market 
segment. 

This post has been reproduced from [4]Dancho 
Danchev's blog. Follow him [5]on Twitter 

1. http://ddanchev.blo as DOt.com/2013/07/newlv-launched- 
scanned-fake.html 

2. http://ddanchev.blo as pot.eom/2013/05/a-peek-inside- 
russian-under a round.html 

3. http://ddanchev.blo as pot.eom/2013/08/vendor-of- 
scanned-fake-ids-credit-cards.html 














4. httD://ddanchev.blo as DOt.com/ 

5. httD://twitter.com/danchodanchev 
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Cybercriminals Offer High Quality Plastic U.S Driving 
Licenses/University ID Cards (2013-08-29 02:26) 

Continuing the series of blog posts profiling the most recent 
underground market propositions for high quality fake 

passports/IDs/documents, in this post, I'll emphasize on a 
cybercrime-friendly vendor that's exclusively targeting the 

U.S market. 

Go through previous research into the market for 
fake passports/IDs/documents: 

• [l]Newly Launched 'Scanned Fake Pass ports/IDs/C red it 
Cards/Utility Bills' Service Randomizes and Generates 

Unique Fakes On The Fly 

• [2]A Peek Inside the Russian Underground Market for Fake 
Docu ments/l Ds/Passports 

• [3]Vendor of Scanned Fake IDs, Credit Cards and Utility 
Bills Targets the French Market Segment 

Offering fake plastic driving licenses for over 25-F U.S 
States, including student IDs for major U.S Universities for a 
static price of $150, the vendor not just currently 
outperforms competing vendors in terms of quality in this 
particular market segment - within the cybercrime-friendly 
community in question - but also, is already receiving 
recommendations 





from other cybercriminals to raise the price of his 
underground market 'asset', indicating penetration pricing 
in action. 

Payment methods accepted? Bitcoin, Western Union and 
Moneygram. 

Sample underground market ad: 

[VENDOR'S NAME REDACTED] has over 25+ states on tap, 
along with 'secondaries' to offer, all of of which and are 

high quality, meaning instate without issue, in most cases. 
Ail IDs contain UV (where applicable as some states don't), 
multispec-hologram, 1D/2D barcode and/or magstripe that 
will scan/swipe to read DMV/AAMVA license standard. 

The vendor is requiring the following data from his 
potential customers: 

Name - First, Mi, Last 

Address 

DOB 

Sex 

Hair Color 
Height 
Weight 
Eye color 

Driver License number - if a number isn't provided one will 
be randomly generated 



Endorsements and/or Restrictions - if not inciuded these wiii 
be ieft biank 

Scanned signature - if not provided you wiii receive a 
generic font signature 

*****More\Less info may be required depending on the state 
requested 

Scanned passport picture - no webcam pictures can be 
accepted. 

if you cannot get a reai passport picture and have a decent 
camera, piease take a pic from the chest up against a 

white background/drywaii with the fiash 'ON'. I wiii handie 
the cropping aspect. Aiso try to have good iighting and 

when scanning use high resoiution. You may aiso upioad a 
signature. I ask that this be written using a biack sharpie 

styie pen to achieve the best resuits. 
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You may upioad this info to sendspace.com or the fiie- 
sharing site of your choosing and forward me the down- 

ioad iink. I wiii confirm reception via emaii and you order 
wiii begin processing. Aii IDs are 150USD with incentive 

to group buys. Payment can be made via BTC, WU, 
Moneygram. Payment wiii be coiiected upon compietion and 


approvai of your order. 


Sample screenshots of the service's current 
'inventory': 
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The market for fake passports/IDs/documents is prone to 
flourish, as more cybercriminals demand both, scanned, 

and plastic fake IDs to be later one abused in related 
fraudulent schemes. Naturally, the market is quick to 
supply, and 

those who excel in their Operational Security and quality of 
the underground market 'assets', will begin occupying a 


decent market share within this underground market 
segment. 

1. http://ddanchev.blo as DOt.com/2013/07/newlv-launched- 
scanned-fake.html 

2. http://ddanchev.blo as pot.eom/2013/05/a-peek-inside- 
russian-under a round.html 

3. http://ddanchev.blo as pot.eom/2013/08/vendor-of- 
scanned-fake-ids-credit-cards.html 
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Profiling a Novel, High Profit Margins Oriented, 
Legitimate Companies Brand-Jacking Money Mule Re¬ 
cruitment Scheme (2013-08-29 22:41) 

Over the years, I've been actively researching the money 
mule recruitment epidemic, providing actionable (real¬ 
time/historical) intelligence on their activities, exposing 

[1] their DNS infrastructure, offering exclusive peek 
inside 

[2] the Administration Panels utilized by money 
mules, emphasizing on current and emerging tactics 
applied by the 

individuals orchestrating the final stages of a fraudulent 
operation - the cash out process through basic risk¬ 
forwarding. 

Catch up with previous research on the money mule 
recruitment problem: 














• [3]Spotted: cybercriminals working on new Western Union 
based 'money mule management' script 

• [4]Keeping Money Mule Recruiters on a Short Leash - Part 
Eleven 

• [5]Keeping Money Mule Recruiters on a Short Leash - Part 
Ten 

• [6]Keeping Money Mule Recruiters on a Short Leash - Part 
Nine 

• [7]Keeping Money Mule Recruiters on a Short Leash - Part 
Eight - Historical OSINT 

• [8]Keeping Money Mule Recruiters on a Short Leash - Part 
Seven 

• [9]Keeping Money Mule Recruiters on a Short Leash - Part 
Six 

• [10]Keeping Money Mule Recruiters on a Short Leash - Part 
Five 

• [ll]The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

• [12]Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

• [13]Money Mule Recruitment Campaign Serving Client- 
Side Exploits 

• [14]Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

• [15]Money Mule Recruiters on Yahool's Web Hosting 



• [16]Dissecting an Ongoing Money Mule Recruitment 
Campaign 

• [17]Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

• [18]Keeping Reshipping Mule Recruiters on a Short Leash 

• [19]Keeping Money Mule Recruiters on a Short Leash 

• [20]Standardizing the Money Mule Recruitment Process 

• [21]lnside a Money Laundering Group's Spamming 
Operations 

• [22]Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

• [23]Money Mules Syndicate Actively Recruiting Since 
2002 
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In this post, I'll profile a novel money mule recruitment 
scheme, that involves high profit margins - of course for the 
ones organizing the scheme - through a direct, and most 
importantly, (pseudo) legal brand-jacking of a 

gullible business owner's brand name, enticing him/her into 
opening a merchant account for processing E-commerce 

transactions, coming from more gullible and socially 
engineered mules. 

It all begins with an email coming from a non-existent 
"environmental enterprise", that in this particular case 



is abusing Google's brand in an attempt to increase the 
probability of a successful interaction with the socially 

engineered business owners: 

Sample email: 

Environmental enterprise searching for representation 
internationally 

5 % commission on 200K cash flow originated from 
promotion and sales of proprietary research articles 

Necessary conditions: 

- Own a company - Be reachable on daily basis through E- 
mail, phone or Skype - Proper execution of all planned 

undertakings 

in case if being interested, please provide: 

- Name and Surname - Age - Telephone number (including 
country code) - City and Country - Email 

Please answer to: NAME@googleapp-consult.com 

Faithfully yours, 

HR dept 

Those who reply are kindly asked to open a merchant bank 
account using their own company data, and assured that, 

despite the fact that the Web site which will be selling the 
bogus 'research articles' will be using their (legitimate) 



business brand's name and contact details, they will still 
receive their 5 % commission on a 200,000/250,000 EUR 

in anticipated revenue, which would naturally be coming 
directly from other mules participating in the fraudulent 

scheme. Moreover, despite that a business owner will have 
his company brand, logo, contact information listed at 

the Web site, he/she will have zero visibility to the non¬ 
existent purchasing process of this research, as " all 
customer service, sales, technical logistics, etc. are to be 
handled by us. " 

Why would a potential cybercrime syndicate want a socially 
engineered business owner to open a merchant 

bank account using his/her own data? Pretty simple. In my 
previous research on [24]the standardization of the 

money mule recruitment process, I emphasized on how 
money mules are often vetted through online-based 
surveys, 

which always ask important from a mule recruiter's 
perspective question, such as - when did you you first open 
your 

bank account, and do you have any limitations on 
incoming/ongoing monetary transactions on it? 

However, an established company would always benefit 
from the trust it has already established with its fi¬ 
nancial institution/service of choice, meaning that, it will not 
only get its merchant account open, but also, will 



successfully pass the majority of verification protection 
mechanisms for high volume transactions put into the place 

by the financial institution/service in place. 

Sample reply email: 

Thank you for your reply 

We are a company involved in development, branding and 
launching of several web media and IT projects in¬ 
volved in consulting on green technology, renewables and 
alternative energy sources. Several of the projects are 

being currently launched online and each one will need to 
have a card payment interface. This collaboration refers to 
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opening a merchant account for online credit card 
acceptance (E-commerce). 

We would need your company to open a merchant 
account for card acceptance and handle the 
receivables 

derived from the sales generated by each project. A 

bank/payment provider will facilitate data needed for 
website integration with their E-commerce payment 
gateway. We will handle the technical side of such 
integration in full. 


We will brand the website under your company, 
therefore the administrative company data listed on 
the 



website will be yours, but all customer service, 
technical logistics and sales are to be handled by us. 

The products sold will be proprietary research articles and 
information packages on green technology, renewables and 
alternative 

energy sources. 

Incoming proceedings from sales will be settled by the bank 
(or the payment provider) into your business bank 

account on a time scale defined by the bank (or the 
payment provider). 

These sale proceedings will be transferred to us, minus your 
commission and expenses incurred. The volume of 

monthly payments processed through the merchant 
account will be in the order of EUR 200,000 - EUR 
250,000 per 

month in the Initial months. The expected rise is 
roughly 5-6 % every month. The commission 
proposed to you 

stands at 5 % of the mentioned volume. 

AH the expenses related to the operation including the 
banking and transactions fees and the merchant ac¬ 
count setup and related fees are to be covered by us. if you 
agree in principle, I will provide the contract draft to 

define the legal terms of our collaboration. 

Yours sincerely. 


Michael Torti 



General Manager 
ECOFIN Projects (Gibraltar) 

Tel/Fax: +350 2006 1287 

Who are ECOFIN Projects (ecofinservices.net - 
50 . 63 . 220 . 106 ) ? Nothing more than [25]a cybercrime- 
friendly 

"marketing agency" at its best. 
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Sample About Us description: 

Ecofin is offering outstanding solutions which are useful in 
maximizing revenues that are generated through a wide 

range of investment sectors and global assets. A wide range 
of services and financial opportunities are being offered 


for manufacturers, developers, owners as well as financial 
Investors Interested in our niche Investment portfolios and 
services. 

We are operating as a globally safe company as well as 
involving risk and integrity management expertise 

that brings together practical experience along with cutting 
edge, innovative engineering and technologies. The 

company is research based which is primarily focused on 
environmental sectors, alternative energy, infrastructure, as 

well as utility all around the globe. 

The firm is practicing a fundamental and basic approach 
while it comes to managing its clientele assets. Ecofin is 

useful in developing, branding as well as launching 
exclusive information sales podiums based on alternative, 
as well 

as green technological sources along with IT and web media 
themes. The company is dedicated to providing its clients 

with the highest levels of quality services and investment 
returns within the niche industries that we focus upon. 
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Contact details: 

+350 200 67911 (Gibraltar) 
+852 5808 2461 (Hong Kong) 


+54 11 5984 1154 (Buenos Aires) 

+44 20 3051 6249 (London) 

Skype: ecofin2013 
Suite 4, 209 Main Street 
Gibraitar GBZ lAA 

A potentially socially engineered business owner 
would then be contacted with a similar email: 

Piease find the Contract draft attached, review and confirm 
your agreement with every point of it. The next step 

wouid be to provide the proper company data to be put in 
the contract and produce the finai version for the signing. 

Piease review the showcase website: 

This site wiii be copied into a new domain reflecting your 
company name and your company data. 

As indicated, aii customer service, saies, technicai iogistics, 
etc. are to be bandied by us. You wouid need to open a 
merchant account for oniine credit card acceptance (E- 
commerce). 

The customers wiii be from aii over the worid. Aii the issues 
reiated to saies, marketing, customer service, sup- 

piy, iogistics, etc. are to be bandied by us. You wiii be 
required to open a merchant account for oniine credit card 

acceptance, receive the funds and transfer us the 
proceedings, as indicated in the contract draft with detaii. 
No 



capita! or any upfront payments from your side are 
required. If it is necessary to cover any upfront fees for the 


merchant account establishment, we will transfer such fees 
to you beforehand. 

Sample Web Site Template offered as an example of how a 
socially engineered business owner's company 

branded Web site, would look like (greentechidea.com - 
50 . 63 . 39 . 1 ): 
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Sample copy of the Contract: 
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Sample domains from the mule recruitment 
campaigns spamvertised over email: 

googleapp-consult. com 

googleapps-euro. com 

worlds-trade. com 

trades-consult com 

worlds-diploms. com 

Sample name servers involved in the campaign: 

NSl.ELCACAREO.NET - 184.82.62.16; 136.0.16.169; 
184.82.204.70 - Email: shanghaiherald32(a)yahoo.com 

NS2.ELCACAREO.NET - 6.87.78.121 

The same email (shanghaiherald32@yahoo.com) is 
also known to have also been used to register the 
fol¬ 
lowing fraudulent/malicious domains: 

badstylecorps. com 

tvbHps.net 

viperlair.net 
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Profiling a Novel, High Profit Margins Oriented, 
Legitimate Companies Brand-Jacking Money Mule Re¬ 
cruitment Scheme (2013-08-29 22:41) 

Over the years, I've been actively researching the money 
mule recruitment epidemic, providing actionable (real¬ 
time/historical) intelligence on their activities, exposing 

[1] their DNS infrastructure, offering exclusive peek 
inside 

[2] the Administration Panels utilized by money 
mules, emphasizing on current and emerging tactics 
applied by the 

individuals orchestrating the final stages of a fraudulent 
operation - the cash out process through basic risk¬ 
forwarding. 



















Catch up with previous research on the money mule 
recruitment problem: 

• [3]Spotted: cybercriminals working on new Western Union 
based 'money mule management' script 

• [4]Keeping Money Mule Recruiters on a Short Leash - Part 
Eleven 

• [5]Keeping Money Mule Recruiters on a Short Leash - Part 
Ten 

• [6]Keeping Money Mule Recruiters on a Short Leash - Part 
Nine 

• [7]Keeping Money Mule Recruiters on a Short Leash - Part 
Eight - Historical OSINT 

• [8]Keeping Money Mule Recruiters on a Short Leash - Part 
Seven 

• [9]Keeping Money Mule Recruiters on a Short Leash - Part 
Six 

• [10]Keeping Money Mule Recruiters on a Short Leash - Part 
Five 

• [ll]The DNS Infrastructure of the Money Mule Recruitment 
Ecosystem 

• [12]Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

• [13]Money Mule Recruitment Campaign Serving Client- 
Side Exploits 

• [14]Keeping Money Mule Recruiters on a Short Leash - Part 
Three 



• [15]Money Mule Recruiters on Yahool's Web Hosting 

• [16]Dissecting an Ongoing Money Mule Recruitment 
Campaign 

• [17]Keeping Money Mule Recruiters on a Short Leash - Part 
Two 

• [18]Keeping Reshipping Mule Recruiters on a Short Leash 

• [19]Keeping Money Mule Recruiters on a Short Leash 

• [20]Standardizing the Money Mule Recruitment Process 

• [21]lnside a Money Laundering Group's Spamming 
Operations 

• [22]Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

• [23]Money Mules Syndicate Actively Recruiting Since 
2002 
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In this post, I'll profile a novel money mule recruitment 
scheme, that involves high profit margins - of course for the 
ones organizing the scheme - through a direct, and most 
importantly, (pseudo) legal brand-jacking of a 

gullible business owner's brand name, enticing him/her into 
opening a merchant account for processing E-commerce 

transactions, coming from more gullible and socially 
engineered mules. 

It all begins with an email coming from a non-existent 
"environmental enterprise", that in this particular case 



is abusing Google's brand in an attempt to increase the 
probability of a successful interaction with the socially 

engineered business owners: 

Sample email: 

Environmental enterprise searching for representation 
internationally 

5 % commission on 200K cash flow originated from 
promotion and sales of proprietary research articles 

Necessary conditions: 

- Own a company - Be reachable on daily basis through E- 
mail, phone or Skype - Proper execution of all planned 

undertakings 

in case if being interested, please provide: 

- Name and Surname - Age - Telephone number (including 
country code) - City and Country - Email 

Please answer to: NAME@googleapp-consult.com 

Faithfully yours, 

HR dept 

Those who reply are kindly asked to open a merchant bank 
account using their own company data, and assured that, 

despite the fact that the Web site which will be selling the 
bogus 'research articles' will be using their (legitimate) 



business brand's name and contact details, they will still 
receive their 5 % commission on a 200,000/250,000 EUR 

in anticipated revenue, which would naturally be coming 
directly from other mules participating in the fraudulent 

scheme. Moreover, despite that a business owner will have 
his company brand, logo, contact information listed at 

the Web site, he/she will have zero visibility to the non¬ 
existent purchasing process of this research, as " all 
customer service, sales, technical logistics, etc. are to be 
handled by us. " 

Why would a potential cybercrime syndicate want a socially 
engineered business owner to open a merchant 

bank account using his/her own data? Pretty simple. In my 
previous research on [24]the standardization of the 

money mule recruitment process, I emphasized on how 
money mules are often vetted through online-based 
surveys, 

which always ask important from a mule recruiter's 
perspective question, such as - when did you you first open 
your 

bank account, and do you have any limitations on 
incoming/ongoing monetary transactions on it? 

However, an established company would always benefit 
from the trust it has already established with its fi¬ 
nancial institution/service of choice, meaning that, it will not 
only get its merchant account open, but also, will 



successfully pass the majority of verification protection 
mechanisms for high volume transactions put into the place 

by the financial institution/service in place. 

Sample reply email: 

Thank you for your reply 

We are a company involved in development, branding and 
launching of several web media and IT projects in¬ 
volved in consulting on green technology, renewables and 
alternative energy sources. Several of the projects are 

being currently launched online and each one will need to 
have a card payment interface. This collaboration refers to 
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opening a merchant account for online credit card 
acceptance (E-commerce). 

We would need your company to open a merchant 
account for card acceptance and handle the 
receivables 

derived from the sales generated by each project. A 

bank/payment provider will facilitate data needed for 
website integration with their E-commerce payment 
gateway. We will handle the technical side of such 
integration in full. 


We will brand the website under your company, 
therefore the administrative company data listed on 
the 



website will be yours, but all customer service, 
technical logistics and sales are to be handled by us. 

The products sold will be proprietary research articles and 
information packages on green technology, renewables and 
alternative 

energy sources. 

Incoming proceedings from sales will be settled by the bank 
(or the payment provider) into your business bank 

account on a time scale defined by the bank (or the 
payment provider). 

These sale proceedings will be transferred to us, minus your 
commission and expenses incurred. The volume of 

monthly payments processed through the merchant 
account will be in the order of EUR 200,000 - EUR 
250,000 per 

month in the Initial months. The expected rise is 
roughly 5-6 % every month. The commission 
proposed to you 

stands at 5 % of the mentioned volume. 

AH the expenses related to the operation including the 
banking and transactions fees and the merchant ac¬ 
count setup and related fees are to be covered by us. if you 
agree in principle, I will provide the contract draft to 

define the legal terms of our collaboration. 

Yours sincerely. 


Michael Torti 



General Manager 
ECOFIN Projects (Gibraltar) 

Tel/Fax: +350 2006 1287 

Who are ECOFIN Projects (ecofinservices.net - 
50 . 63 . 220 . 106 ) ? Nothing more than [25]a cybercrime- 
friendly 

"marketing agency" at its best. 
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Sample About Us description: 

Ecofin is offering outstanding solutions which are useful in 
maximizing revenues that are generated through a wide 

range of investment sectors and global assets. A wide range 
of services and financial opportunities are being offered 


for manufacturers, developers, owners as well as financial 
Investors Interested in our niche Investment portfolios and 
services. 

We are operating as a globally safe company as well as 
involving risk and integrity management expertise 

that brings together practical experience along with cutting 
edge, innovative engineering and technologies. The 

company is research based which is primarily focused on 
environmental sectors, alternative energy, infrastructure, as 

well as utility all around the globe. 

The firm is practicing a fundamental and basic approach 
while it comes to managing its clientele assets. Ecofin is 

useful in developing, branding as well as launching 
exclusive information sales podiums based on alternative, 
as well 

as green technological sources along with IT and web media 
themes. The company is dedicated to providing its clients 

with the highest levels of quality services and investment 
returns within the niche industries that we focus upon. 
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Contact details: 

+350 200 67911 (Gibraltar) 
+852 5808 2461 (Hong Kong) 


+54 11 5984 1154 (Buenos Aires) 

+44 20 3051 6249 (London) 

Skype: ecofin2013 
Suite 4, 209 Main Street 
Gibraitar GBZ lAA 

A potentially socially engineered business owner 
would then be contacted with a similar email: 

Piease find the Contract draft attached, review and confirm 
your agreement with every point of it. The next step 

wouid be to provide the proper company data to be put in 
the contract and produce the finai version for the signing. 

Piease review the showcase website: 

This site wiii be copied into a new domain reflecting your 
company name and your company data. 

As indicated, aii customer service, saies, technicai iogistics, 
etc. are to be bandied by us. You wouid need to open a 
merchant account for oniine credit card acceptance (E- 
commerce). 

The customers wiii be from aii over the worid. Aii the issues 
reiated to saies, marketing, customer service, sup- 

piy, iogistics, etc. are to be bandied by us. You wiii be 
required to open a merchant account for oniine credit card 

acceptance, receive the funds and transfer us the 
proceedings, as indicated in the contract draft with detaii. 
No 



capita! or any upfront payments from your side are 
required. If it is necessary to cover any upfront fees for the 


merchant account establishment, we will transfer such fees 
to you beforehand. 

Sample Web Site Template offered as an example of how a 
socially engineered business owner's company 

branded Web site, would look like (greentechidea.com - 
50 . 63 . 39 . 1 ): 
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Sample copy of the Contract: 
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Sample domains from the mule recruitment 
campaigns spamvertised over email: 

googleapp-consult. com 

googleapps-euro. com 

worlds-trade. com 

trades-consult com 

worlds-diploms. com 

Sample name servers involved in the campaign: 

NSl.ELCACAREO.NET - 184.82.62.16; 136.0.16.169; 
184.82.204.70 - Email: shanghaiherald32(a)yahoo.com 

NS2.ELCACAREO.NET - 6.87.78.121 

The same email (shanghaiherald32@yahoo.com) is 
also known to have also been used to register the 
fol¬ 
lowing fraudulent/malicious domains: 

badstylecorps. com 

tvbHps.net 

viperlair.net 
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Summarizing Webroot's Threat Blog Posts for 
August ( 2013 - 08-30 14 : 11 ) 

The following is a brief summary of all of my posts at 
[IJWebroot's Threat Blog for August, 2013. You can 
subscribe to [2]Webroot's Threat Blog RSS Feed, or 

follow me on Twitter: 

01 . [3]'Malware-infected hosts as stepping stones' service 
offers access to hundreds of compromised U.S based 

hosts 

02 . [4]New 'Hacked shells as a service' empowers 
cybercriminals with access to high page rank-ed Web sites 

03 . [5]Fake 'iPhone Picture Snapshot Message' themed 
emails lead to malware 



















04 . [6]Malicious Bank of America (BofA) 'Statement of 
Expenses' themed emails lead to client-side exploits and 

malware 

05 . [7]Cybercriminals spamvertise fake '02 U.K MMS' 
themed emails, serve malware 

06 . [8]One-stop-shop for spammers offers DKIM-verified 
SMTP servers, harvested email databases and training to 

potential customers 

07 . [9]Fake 'Apple Store Gift Card' themed emails serve 
client-side exploits and malware 

08 . [10]Newly launched managed 'malware dropping' 
service spotted in the wild 

09 . [ll]Cybercrime-friendly underground traffic exchange 
helps facilitate fraudulent and malicious activity 

10 . [12]From Vietnam with tens of millions of harvested 
emails, spam-ready SMTP servers and DIY spamming tools 

11 . [13]DIY Craigslist email collecting tools empower 
spammers with access to fresh/valid email addresses 

12 . [14]Bulletproof TDS/Doorways/Pharma/Spam/Warez 
hosting service operates in the open since 2009 
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13 . [15]DIY automatic cybercrime-friendly 'redirectors 
generating' service spotted in the wild 

14 . [16]Cybercriminals offer spam-ready SMTP servers for 
rent/direct managed purchase 



15 . [17]Cybercrime-friendly underground traffic exchanges 
help facilitate fraudulent and malicious activity - part 

two 
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Rogue iFrame Injected Web Sites Lead to the 
AndroidOS/Fakelnst/Trojan-SMS.J2ME.JiFake Mobile 
Mal¬ 
ware (2013-09-16 14:29) 

A currently ongoing malicious campaign relying on injected 
iFrames at legitimate Web sites, successfully [Ijsegments 

mobile traffic, and exposes mobile users to fraudulent 
legitimately looking variants of the 

AndroidOS/Fakelnst/TrojanSMS.J2ME.JiFake mobile malware. 

























Let's dissect the campaign, expose the domains portfolio 
currently/historically known to have been involved 

in this campaign, as well as list all the malicious MD5s 
known to have been pushed by it. 

iFrame injected domains containing the mobile 
traffic segmentation script parked on the same IP: 

asphalt7-android.org - 93.170.109.193 

fifal2-android. org 

gta3-android. org 

fruit-ninja-android, org 

wiidbiood-android. org 

osmos-android. org 

moderncombat-android. org 

minecraft-android. org 

googianaiytics. ws 

getinternet. ws 

ddiioads.com 

googiecount. ws 

opera-com.com 

opgrade. ws 


statuses.ws 



ya-googl.ws 
ya direct, ws 
yandex-google. ws 
689 




Sample mobile malware MD5s pushed by the 
campaign: 

[2] MD5: e77f3bffel8fb9f5alble5e6a0b8aaf8 

[3] 

MD5: 5fb4cc0b0d8dfe8011c44f97c6dd0aa2[4] 

[5] 

MD5: 9348b5al3278ccl01ae95cb2a88fe403[6] 

[7] MD5: f4966c315dafa7e39ad78e31e599e8d0 

[8] MD5: 6f839dd29d2c7807043d06bal9e9c916 

[9] MD5: 8cfebfa7175e6e9al0e2a9ade4d87405 

[10] MD5: 4e5af55dd6a310bced83eb08c9a635b3 
Phone back location: 

hxxp://depositmobi.conn/getTasl<.php/tasl<=updateOpening 
&s=- 93.170.107.130 

Parked on the same IP (93.170.107.130) are also the 
following domains participating in the campaign's in¬ 


frastructure: 


123diskapp. com 

1 gameminecraft. ru 

2010mobile.ru 

absex.ru 
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ammla.info 
and4mobiles.ru 
android-apk-fiie. ru 
android-games-skachat. ru. com 
android-key.ru 
android-market-apk. ru 
android-market-coois. ru 
android-vk.com 
android7s.ru 
androidcooi. tk 
androiderus. com 
androidnns.ru 
androidone.net 
androidperfomance. com 


androids-market. ru 



androidupos.ru 
24-android.ru 
oniine-android. ru 
moiandroid.ru 
kto zdesj.ru 
super-androids, ru 

The following malicious mobile malware MD5s are 
known to have phoned back to the same IP in the 
past: 

[11] MD5: 572b07bd031649d4a82bb392156b25c6 

[12] MD5: 9685ff439e610fa8f874bf216fa47eee 

[13] MD5: 6d9dd3c9671d3d88fl6071fl483faal2 

[14] MD5: 276b77b3242cb0f767bfba0009bcf3e7 

[15] MD5: aefdbdee7f873441b9d53500elaf34fa 

What's also worth emphasizing on is that we've also got a 
decent number of malicious Windows samples 

known to have phoned back to the same IP in the past, 
presumably in an attempt by fellow cybercriminals to 

monetize the traffic through an affiliate program. 

MD5: bac8f2c5d0583ee8477d79dc52414bf5 


MD5: alae35eadf7599d2f661a9ca7f0f2150 



MD5: 419fdb78356eaf61f9445cf828b3e5cf 


MD5:abce96eaa7c345c2c3a89a8307524001 
MD5: 93dlldcllcccc5ac5ald57edce73ea07 
MD5: 53bbad9018cd53dl6fbla21bd4738619 
MD5: 15f3eca26f6c8dl2969ffbldbeead236 
MD5: 72c6cl4f9bab8ff95dbaf491f2a2aff6 
MD5: a282b40d654fee59a586b89alal2cac2 
MD5: e0798c635d263fl5ab54a839bf6bac7f 
MD5: 7bld8820cc012deac282fc72471310bd 
MD5: 21fdbb9e9el3297ael2768764el69fb4 
MD5: 47fa4a3a7d94dad9faclcbdc07862496 
MD5: 5e9321027c73175cf6ff862019c90af7 
MD5: cfbaccc61dc51b805673000d09e99024 
MD5: 8bc4ddlaff76fd4d2513af4538626033 
MD5: f6a622f76bl8d3fa431a34eb33be4619 
MD5: C068dll293fcl4bebdf3b3827e0006ac 
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MD5: d68338a37f62e26e701dfe45a2f9cbf2 


MD5:elc9562b6666d9915c7748c25376416f 


MD5:Idccdl4b23698ecc7c5a4b9099954ae4 

MD5: 47601e9f8b624464b63d499af60f6cl8 

Actual download location of a sample mobile malware 
sample: 

hxxp://media worksS. com/getfile.php?dtype=clle &u=getfl 
&d=FLVPLayer- 78.140.131.124 

The following mobile malware serving domains are 
also known to have responded to the same IP 
( 78 . 140 . 131 . 124 ) 

in the past: 

4apkser.ru 

absex.ru 

a g w-rai/way com 

androedis.ru 

android-apk-file. ru 

android-update, name 

android6s.ru 

android7s.ru 

androidappfiie.name 

androidaps.ru 


androidbizarre. com 



androidilve.ru 


androidovnioads. com 
androidupss.ru 
a pk-ioad.ru 
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apkzona.ru 
baii-speciai.ru 
com-opera.com 
dmi-s ite.ru 
downioad-opera.com 

As well as the following malicious MD5s: 

[16] MD5: 8cfebfa7175e6e9al0e2a9ade4d87405 

[17] MD5: 4e5af55dd6a310bced83eb08c9a635b3 

Thanks to the commercial availability of [18]DIY iFrame 
injecting platforms, the current [19]commoditization 

of hacked/compromised accounts across multiple 
verticals, the [20]efficiency-oriented mass SQL 
injection cam¬ 
paigns, as well as the existence of beneath the radar 
[21]malvertising campaigns, cybercriminals are perfectly 
positioned to continue monetizing mobile traffic for 
fraudulent/malicious purposes. 
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Rogue iFrame Injected Web Sites Lead to the 
AndroidOS/Fakelnst/Trojan-SMS.J2ME.JiFake Mobile 
Mal¬ 
ware (2013-09-16 14:29) 

A currently ongoing malicious campaign relying on injected 
iFrames at legitimate Web sites, successfully [Ijsegments 

mobile traffic, and exposes mobile users to fraudulent 
legitimately looking variants of the 

AndroidOS/Fakelnst/TrojanSMS.J2ME.JiFake mobile malware. 

Let's dissect the campaign, expose the domains portfolio 
currently/historically known to have been involved 

in this campaign, as well as list all the malicious MD5s 
known to have been pushed by it. 

iFrame injected domains containing the mobile 
traffic segmentation script parked on the same IP: 

asphalt7-android.org - 93.170.109.193 

fifal2-android. org 

gta3-android. org 








fruit-ninJa-android. org 
wildblood-android. org 
osmos-android. org 
moderncombat-android. org 
minecraft-android. org 
googlanalytics. ws 
getinternet. ws 
ddlloads.com 
googlecount ws 
opera-com.com 
opgrade. ws 
statuses.ws 
ya-googl.ws 
ya direct, ws 
yandex-google. ws 
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Sample mobile malware MD5s pushed by the 
campaign: 


[2]MD5: e77f3bffel8fb9f5alble5e6a0b8aaf8 


[3] 

MD5: 5fb4cc0b0d8dfe8011c44f97c6dd0aa2[4] 

[5] 

MD5: 9348b5al3278ccl01ae95cb2a88fe403[6] 

[7] MD5: f4966c315dafa7e39ad78e31e599e8d0 

[8] MD5: 6f839dd29d2c7807043d06bal9e9c916 

[9] MD5: 8cfebfa7175e6e9al0e2a9ade4d87405 

[10] MD5: 4e5af55dd6a310bced83eb08c9a635b3 
Phone back location: 

hxxp://depositmobi.conn/getTask.php/task=updateOpening 
&s=- 93.170.107.130 

Parked on the same IP (93.170.107.130) are also the 
following domains participating in the campaign's in¬ 
frastructure: 

123diskapp.com 

1 gameminecraft. ru 

2010mobile.ru 

absex.ru 
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ammia.info 


and4mobiies.ru 



android-apk-file. ru 

android-games-skachat. ru. com 

android-key.ru 

android-market-apk. ru 

android-market-cools, ru 

android-vk.com 

android7s.ru 

androidcool. tk 

androiderus. com 

androidnns.ru 

androidone.net 

androidperfomance. com 

androids-market. ru 

androidupos.ru 

24-android.ru 

online-android, ru 

moiandroid.ru 

ktozdesj.ru 

super-androids, ru 



The following malicious mobile malware MD5s are 
known to have phoned back to the same IP in the 
past: 

[11] MD5: 572b07bd031649d4a82bb392156b25c6 

[12] MD5: 9685ff439e610fa8f874bf216fa47eee 

[13] MD5: 6d9dd3c9671d3d88fl6071fl483faal2 

[14] MD5: 276b77b3242cb0f767bfba0009bcf3e7 

[15] MD5: aefdbdee7f873441b9d53500elaf34fa 

What's also worth emphasizing on is that we've also got a 
decent number of malicious Windows samples 

known to have phoned back to the same IP in the past, 
presumably in an attempt by fellow cybercriminals to 

monetize the traffic through an affiliate program. 

MD5: bac8f2c5d0583ee8477d79dc52414bf5 

MD5: alae35eadf7599d2f661a9ca7f0f2150 

MD5: 419fdb78356eaf61f9445cf828b3e5cf 

MD5:abce96eaa7c345c2c3a89a8307524001 

MD5: 93dlldcllcccc5ac5ald57edce73ea07 

MD5: 53bbad9018cd53dl6fbla21bd4738619 

MD5: 15f3eca26f6c8dl2969ffbldbeead236 


MD5: 72c6cl4f9bab8ff95dbaf491f2a2aff6 



MD5: a282b40d654fee59a586b89alal2cac2 
MD5: e0798c635d263fl5ab54a839bf6bac7f 
MD5: 7bld8820cc012deac282fc72471310bd 
MD5: 21fdbb9e9el3297ael2768764el69fb4 
MD5: 47fa4a3a7d94dad9faclcbdc07862496 
MD5: 5e9321027c73175cf6ff862019c90af7 
MD5: cfbaccc61dc51b805673000d09e99024 
MD5: 8bc4ddlaff76fd4d2513af4538626033 
MD5: f6a622f76bl8d3fa431a34eb33be4619 
MD5: C068dll293fcl4bebdf3b3827e0006ac 
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MD5: d68338a37f62e26e701dfe45a2f9cbf2 

MD5:elc9562b6666d9915c7748c25376416f 

MD5:Idccdl4b23698ecc7c5a4b9099954ae4 

MD5: 47601e9f8b624464b63d499af60f6cl8 

Actual download location of a sample mobile malware 
sample: 

hxxp://media worksS. com/getfile.php?dtype=dle &u=getfl 
&d=FLVPLayer- 78.140.131.124 


The following mobile malware serving domains are 
also known to have responded to the same IP 
(78.140.131.124) 

in the past: 

4apk5er.ru 

absex.ru 

a g w-railway. com 

androedis.ru 

android-apk-file. ru 

android-update, name 

android6s.ru 

android7s.ru 

androidappfiie.name 

androidaps.ru 

androidbizarre. com 

androidiive.ru 

androidovnioads. com 

androidupss.ru 

a pk-ioad.ru 
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apkzona.ru 



bali-special.ru 
com-opera.com 
dmi-site, ru 
downioad-opera.com 

As well as the following malicious MD5s: 

[16] MD5: 8cfebfa7175e6e9al0e2a9ade4d87405 

[17] MD5: 4e5af55dd6a310bced83eb08c9a635b3 

Thanks to the commercial availability of [18]DIY iFrame 
injecting platforms, the current [19]commoditization 

of hacked/compromised accounts across multiple 
verticals, the [20]efficiency-oriented mass SQL 
injection cam- 



paigns, as well as the existence of beneath the radar 
[21]malvertising campaigns, cybercriminals are perfectly 
positioned to continue monetizing mobile traffic for 
fraudulent/malicious purposes. 

Updates will be posted as soon as new developments 
take place. 
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Dissecting FireEye's Career Web Site Compromise 
(2013-09-18 19:41) 

Remember when back in 2010, I established a direct 
connection between several [l]mass Wordpress biogs 
com¬ 
promise campaigns, with the campaign behind the 

[2]compromised Web site of the U.S. Treasury, 

prompting the 

cybercriminal(s) behind it to [3]redirect aii the campaign 
traffic to my Biogger profiie? 

It appears that the cybercriminal/gang of cybercriminals 
behind these mass Web site compromise campaigns 

is/are not just [4]stiii in business, but also - Long Tail of the 
malicious Web - [5]managed to infect FireEye' 

(externai network) Careers Web Site. 

Let's dissect the campaign, expose the malicious domains 
portfolio behind it, provide MD5s for a sample ex- 






































ploit, the dropped malware, and connect it to related 
malicious campaigns, all of which continue to share the same 

malicious infrastructure. 

Sample redirection chain: 

hxxp://vjs.zencdn.net/c/video.js 

-> 

hxxp://cdn. adsbarscipt. com/links/jump/ 

(198.7.59.235; 

63.247.93.69; 

69.39.238.28; 

74.81.94.44) 

(IE) 

-> 

hxxp://cdn. adsbarscipt. com/links/flash/?updnew 
(CHROME) 

-> 

hxxp.7/209.239.127.185/591918d6c2e8ce3f53ed8b93fb0735 
cd/face-book.php 

Detection rate for a sample malicious script found on 
the client-side exploits serving site: 

[6]MD5: 809f70b26e3a50fb9146ddfa8cf500be - detected by 
1 out of 49 antivirus scanners as Trojan.Script.Heuristic- 



js.iacgm 

Sample detection rate for the served client-side 
exploit: 

[7] MD5: 71c92ebc2a889d3541ff6f20b4740868 - detected 
by 4 out of 49 antivirus scanners as HEUR:Exploit.Java.CVE- 

2012-1723.gen; HEUR JAVA.EXEC 

Detection rate for a sample dropped malware: 

[8] MD5: 

4bfb3379a2814f5eb67345d43bce3091 - detected by 15 out 
of 49 antivirus scanners as Trojan- 

PSW.Win32.Fareit.acqv; PWS:Win32/Fareit.gen!C 

The following malicious MD5s are known to have 
been downloaded from the same IPs 
(cdn.adsbarscipt.com 

(198.7.59.235; 63.247.93.69; 69.39.238.28; 
74.81.94.44): 

[9] MD5:82el013106736b74255586169a217d66 

[10] MD5: 01771c3500a5bl543f4fb43945337c7d 

[11] MD5: dbf6f5373f56f67e843af30fded5c7f2 
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Additionally, the campaign is also known to have dropped 

[12] MD5: 01771c3500a5bl543f4fb43945337c7d 



Once executed, the most recently dropped sample 
(MD5: 

4bfb3379a2814f5eb67345d43bce3091) phones 

back to the following C &C servers: 

main-firewalls.com (67.228.177.174; 74.204.171.69; 
85.195.104.90) - Email: alexl978a(g)bigmir.net 

simple-cdn-node.com (109.120.143.109) - Email: 
alexl978a(g)big mir.net 

akamai.com/gate.php 

Deja vu! We've already seen alexl978a(g)bigmir.net in 

[13]Network Solution's (2010) mass Wordpress blogs 

compromise, a campaign which is also directly connected 
with [14]the compromise of the Web site of the U.S 

Treasury. 

The sample also attempts to download the following 
additional malware variants: 

main-fire waiis. com/6, exe 

main-fire waiis. com/1. exe 

simpie-cdn-node. com/1. exe - [ 15 ] M D 5: 

05d003a374a29c9c2bbc250dd5c56d7c 

Responding to 67.228.177.174 are also the following 
malicious domains: 


aodairangdong. com 



bolsaminimall. com 


catch-cdn.com 
corp-fire wall, com 
himarkrealty. com 
ngnetworld.com 
ritz-entertainment. com 
server, evletmusic. com 
vlettv24.com 
vpoptv.com 

plussolarsolutlons. com 
artlstflower.com 
autoairsystems. com 
elghteas.com 
greenpo wersurvey. com 
phattubl.com 
rItz-entertaInment. com 
salgoncitymall. com 

The following malicious MD5s are also known to have 
phoned back to the same IP (67.228.177.174) in the 


past: 



MD5: 05636d38090e5726077cea54d2485806 


MD5: 53b73675flb08cf7ecfc3c80677c8d2e 
MD5: 0f424ff9db97dafaba746f26d6d8d5c0 
MD5: 633d6de861edc2ecf667f02d0997fl0e 
MD5: dl3ead2b8a424b5e9c5977f8715514c4 
MD5: bfc9803c94cc8ba76a916f8e915042e4 
MD5: a04d33ced90f72cla77f312708681c07 
MD5: 7e6el5518cc48639612aa4ff00a2a454 
MD5: 98d78ef8cc5aeel93a7b7a3c3bb58c87 
MD5: a030d6e35d736db9dd433a8d2ac8a915 
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MD5: If7a6ed70be6el3efb45e5ba80eed76e 
MD5: Cfc727a0ad51eblflll305873d2ade04 
MD5: Ib6de030ed3b42e939690630f63d6933 
MD5: fa9e92d42580el789ed04e551a379e4e 
MD5: 2ed9d63e4d557667bad7806872cf4412 
MD5: befl6d25b2cada2a388ea06c204b44f3 
MD5: 77a93ba48d6532e069745bcall7d26ed 
MD5: 7c7e4cef8a7181f7982a841f7f752368 


MD5: 57b5e6f38998e32fa93856970cc66c5e 



MD5: 5d388blf2bf2dc9493f5c4cfb9d53ca0 

MD5: ec24a959e39c5d2eb7dc769f4b098efb 

MD5: 6357085196499ef5301548ffl7b62619 

MD5: 3173d4be34f489a4630f2439f9653c2c 

MD5: 3bd239ee46ab8ba02f57edl762bd3ae6 

MD5: dce3e33eb294f0a7688be5bea6b7e9d4 

MD5: Ied678e9d29c25043fddlb4c44f5b2ea 

MD5: eccce6f5f509f4ef986d426445a98f0d 

MD5: 74ele2f2d562ab6883124cfa43300cf2 

MD5: 6922efa2e5aal6b78c982d633cbe44e9 

Responding to 85.195.104.90 are also the following 
malicious domains: 

catch-cdn.com 

COrp-fire wall, com 

kronoemail.com 

mam-fire walls, com 

viacominfosys. com 

emaildatastore. com 

The following malicious MD5s are also known to have 
phoned back to the same IP (85.195.104.90) in the 


past: 



MD5: 88110dbce9591b68b06b859e7965d509 
MD5: 0e055888564fb59cb6d4e35a5c5fb33d 
MD5: e9d8d2842b576fd4f6ef9ddelfea4b9f 
MD5: e750031fc9b9264852133d8f7284ac7a 
MD5: e0da2ca4e9al74cd3c6f8a348e4861ad 
MD5: b23a579d7b8bf5a03cl21d2f74234b2d 
MD5: alee5246d984d900f27ce94fbfc37c2b 
MD5: 2118a70a2ccf0a7772725e765ad64e08 
MD5: f26848e64040b4b6614d95bd967045df 
MD5: 9c5997b32bea6945f0cb9ff0cl8cf040 
MD5: 353305483087a5316fd75f63d641eclf 
MD5: 34e67771ca411bl63866fle795b2e72e 
MD5: 571e04b5af915979efc5a7f77794facb 
MD5: a21df3ee0c9dd87cf6ca66581aa7eb76 
MD5: e2137edd5f550bl942cl6e70095c436b 
MD5: 97437f6d670db2596b6a6b53c887055c 

Such type of factual attribution based on gathered historical 
OSINT, isn't surprising, thanks to the fact that de¬ 
spite the increasing number of novice cybercriminals joining 
the ecosystem, the "usual suspects" continue operating for 
the sake of achieving their fraudulent and malicious 
objectives. 
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This post has been reproduced from [16]Dancho 
Danchev's blog . Follow him [17]on Twitter. 

1 . httD://ddanchev.blo as DOt.com/2010/04/dissectin a- 
wordpress-blo a s-comprQmise.html 

2. httD://ddanchev.blo as DOt.com/2010/05/us-treasurv-site- 
CQmpromise-linked-to.html 

3. 

http://l ■bp.blo as pot.com/_wlCH hTiOmrA/S- 

CnwK I v7ll/AAAAAAAAEsA/3esPISPhaKc/sl6QQ/BureauOfEn ar 

avin a AndPrint 

ina exploits malware l. ona 

4. http://blo a .video i s.com/post//unauthorized-modification- 
of-video- i s-cdn-flles 

5. http://www.flreeve.com/blo a /technical/cvber- 
exploits/2013/09/darkleech-savs-hello.html 

6 . 

https://www.virustotal.com/en/flle/311c27de8d357d9cbe63c 

bf798abad294d2daa467d45b7fb4b9bef4f613d0f33/anal vs 

is/1379521Q24/ 

7. 

https://www.virustotal.com/en/file/a87d2556c827Qd35dQdc4 

9a29376fb5Qd685dQ5782cd48f376479a6217474b51/anal vs 


is/1379521163/ 








































8 . 

httDs://www.vi rustotal.com/en/file/370ecf6b98al3b5b379cfl 

cleeclb5926fclb23clcl9bacQ36087calcl8alle2ecla8f8/anal vs 

9. 

https://www.virustotal.CQm/en/file/e4Qa76Q4cQ87a7Q9ec9b9f 

8a78564dl542c4d221733eb4ebb512b3d52Q2a8eld/anal vs 

10 . 

httos://www. virustotal.com/en/fi Ie/ea3be0fb4367e038c602a 

3de5811821d2367f3326ab2al2f469db4cda06fafa7/anal vs 

11 . 

httos://www.vi rustotal.com/en/file/59d5d28aclbl69bfc3905 

Qlfc9d29b5511dec357345df5e38c5aa47675acd5df/anal vs 

12 . 

https://www.virustotal.com/en/file/ea3beQfb4367e038c6Q2a 

3de5811821d2367f3326ab2al2f469db4cda06fafa7/anal vs 

13. http://ddanchev.blo as pot.com/201Q/Q4/dissectin a- 
wordpress-blo a s-compromise.html 

14. http://ddanchev.blo as pot.com/2QlQ/Q5/us-treasurv-site- 
compromise-linked-to.html 

15. 

https://www.virustotal.com/en/file/e28f368359094d42110fba 
























e6bbef5cca649eac4ba540192827cac7b794bdaab7/anal vs 

16. httD://ddanchev.blo as DOt.com/ 

17. httD://twitter.com/danchodanchev 
704 



Dissecting FireEye's Career Web Site Compromise 
(2013-09-18 19:41) 

Remember when back in 2010, I established a direct 
connection between several [l]mass Wordpress biogs 
com¬ 
promise campaigns, with the campaign behind the 

[2]compromised Web site of the U.S. Treasury, 

prompting the 

cybercriminal(s) behind it to [3]redirect aii the campaign 
traffic to my Biogger profiie? 

It appears that the cybercriminal/gang of cybercriminals 
behind these mass Web site compromise campaigns 

is/are not just [4]stiii in business, but also - Long Tail of the 
malicious Web - [5]managed to infect FireEye' 





















(external network) Careers Web Site. 

Let's dissect the campaign, expose the malicious domains 
portfolio behind it, provide MD5s for a sample ex¬ 
ploit, the dropped malware, and connect it to related 
malicious campaigns, all of which continue to share the same 

malicious infrastructure. 

Sample redirection chain: 

hxxp://vjs.zencdn.net/c/video.js 

-> 

hxxp://cdn. adsbarscipt. com/links/jump/ 

(198.7.59.235; 

63.247.93.69; 

69.39.238.28; 

74.81.94.44) 

(IE) 

-> 

hxxp://cdn. adsbarscipt. com/links/flash/?updnew 
(CHROME) 

-> 

hxxp.7/209.239.127.185/591918d6c2e8ce3f53ed8b93fb0735 
cd/face-book.php 



Detection rate for a sample malicious script found on 
the client-side exploits serving site: 

[6] MD5: 809f70b26e3a50fb9146ddfa8cf500be - detected by 
1 out of 49 antivirus scanners as Trojan.Script.Heuristic- 

js.iacgm 

Sample detection rate for the served client-side 
exploit: 

[7] MD5: 71c92ebc2a889d3541ff6f20b4740868 - detected 
by 4 out of 49 antivirus scanners as HEUR:Exploit.Java.CVE- 

2012-1723.gen; HEUR JAVA.EXEC 

Detection rate for a sample dropped malware: 

[8] MD5: 

4bfb3379a2814f5eb67345d43bce3091 - detected by 15 out 
of 49 antivirus scanners as Trojan- 

PSW.Win32.Fareit.acqv; PWS:Win32/Fareit.gen!C 

The following malicious MD5s are known to have 
been downloaded from the same IPs 
(cdn.adsbarscipt.com 

(198.7.59.235; 63.247.93.69; 69.39.238.28; 
74.81.94.44): 

[9] MD5:82el013106736b74255586169a217d66 

[10] MD5: 01771c3500a5bl543f4fb43945337c7d 

[11] MD5: dbf6f5373f56f67e843af30fded5c7f2 
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Additionally, the campaign is also known to have dropped 

[12] MD5: 01771c3500a5bl543f4fb43945337c7d 

Once executed, the most recently dropped sample 
(MD5: 

4bfb3379a2814f5eb67345d43bce3091) phones 

back to the following C &C servers: 

main-firewalls.com (67.228.177.174; 74.204.171.69; 
85.195.104.90) - Email: alexl978a(g)bigmir.net 

simple-cdn-node.com (109.120.143.109) - Email: 
alexl978a(g)big mir.net 

akamai.com/gate.php 

Deja vu! We've already seen alexl978a(g)bigmir.net in 

[13] Network Solution's (2010) mass Wordpress blogs 

compromise, a campaign which is also directly connected 
with [14]the compromise of the Web site of the U.S 

Treasury. 

The sample also attempts to download the following 
additional malware variants: 

main-fire waiis. com/6, exe 

main-fire waiis. com/1. exe 

simpie-cdn-node. com/1. exe - [ 15 ] M D 5: 

05d003a374a29c9c2bbc250dd5c56d7c 



Responding to ^1 ,T1Z,\11 ,\1 ^ are also the following 
malicious domains: 

aodairangdong. com 

bolsaminimall. com 

catch-cdn.com 

corp-fire wall, com 

himarkrealty. com 

ngnetworld.com 

ritz-entertainment. com 

server, evletmusic. com 

vlettv24.com 

vpoptv.com 

plussolarsolutlons. com 
artlstflower.com 
autoairsystems. com 
elghteas.com 
greenpo wersurvey. com 
phattubl.com 
rItz-entertaInment. com 
salgoncitymall. com 



The following malicious MD5s are also known to have 
phoned back to the same IP (67.228.177.174) in the 

past: 

MD5: 05636d38090e5726077cea54d2485806 
MD5: 53b73675flb08cf7ecfc3c80677c8d2e 
MD5: 0f424ff9db97dafaba746f26d6d8d5c0 
MD5: 633d6de861edc2ecf667f02d0997fl0e 
MD5: dl3ead2b8a424b5e9c5977f8715514c4 
MD5: bfc9803c94cc8ba76a916f8e915042e4 
MD5: a04d33ced90f72cla77f312708681c07 
MD5: 7e6el5518cc48639612aa4ff00a2a454 
MD5: 98d78ef8cc5aeel93a7b7a3c3bb58c87 
MD5: a030d6e35d736db9dd433a8d2ac8a915 
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MD5: If7a6ed70be6el3efb45e5ba80eed76e 
MD5: Cfc727a0ad51eblflll305873d2ade04 
MD5: Ib6de030ed3b42e939690630f63d6933 
MD5: fa9e92d42580el789ed04e551a379e4e 
MD5: 2ed9d63e4d557667bad7806872cf4412 


MD5: befl6d25b2cada2a388ea06c204b44f3 



MD5: 77a93ba48d6532e069745bcall7d26ed 

MD5: 7c7e4cef8a7181f7982a841f7f752368 

MD5: 57b5e6f38998e32fa93856970cc66c5e 

MD5: 5d388blf2bf2dc9493f5c4cfb9d53ca0 

MD5: ec24a959e39c5d2eb7dc769f4b098efb 

MD5: 6357085196499ef5301548ffl7b62619 

MD5: 3173d4be34f489a4630f2439f9653c2c 

MD5: 3bd239ee46ab8ba02f57edl762bd3ae6 

MD5: dce3e33eb294f0a7688be5bea6b7e9d4 

MD5: Ied678e9d29c25043fddlb4c44f5b2ea 

MD5: eccce6f5f509f4ef986d426445a98f0d 

MD5: 74ele2f2d562ab6883124cfa43300cf2 

MD5: 6922efa2e5aal6b78c982d633cbe44e9 

Responding to 85.195.104.90 are also the following 
malicious domains: 

catch-cdn.com 

corp-fire wall, com 

kronoemall.com 

mam-fire walls, com 

viacominfosys. com 



emaildatastore. com 


The following malicious MD5s are also known to have 
phoned back to the same IP (85.195.104.90) in the 

past: 

MD5: 88110dbce9591b68b06b859e7965d509 
MD5: 0e055888564fb59cb6d4e35a5c5fb33d 
MD5: e9d8d2842b576fd4f6ef9ddelfea4b9f 
MD5: e750031fc9b9264852133d8f7284ac7a 
MD5: e0da2ca4e9al74cd3c6f8a348e4861ad 
MD5: b23a579d7b8bf5a03cl21d2f74234b2d 
MD5: alee5246d984d900f27ce94fbfc37c2b 
MD5: 2118a70a2ccf0a7772725e765ad64e08 
MD5: f26848e64040b4b6614d95bd967045df 
MD5: 9c5997b32bea6945f0cb9ff0cl8cf040 
MD5: 353305483087a5316fd75f63d641eclf 
MD5: 34e67771ca411bl63866fle795b2e72e 
MD5: 571e04b5af915979efc5a7f77794facb 
MD5: a21df3ee0c9dd87cf6ca66581aa7eb76 
MD5: e2137edd5f550bl942cl6e70095c436b 


MD5: 97437f6d670db2596b6a6b53c887055c 



Such type of factual attribution based on gathered historical 
OSINT, isn't surprising, thanks to the fact that de¬ 
spite the increasing number of novice cybercriminals joining 
the ecosystem, the "usual suspects" continue operating for 
the sake of achieving their fraudulent and malicious 
objectives. 

707 

Updates will be posted as soon as new developments 
take place. 

1. httD://ddanchev.blo as DOt.com/2010/04/dissectin o- 
word Dress-blo a s-comDromise.html 

2. httD://ddanchev.blo as DOt.com/2010/05/us-treasurv-site- 
comDromise-linked-to.html 

3. 

httD://l.bD.blo as DOt.com/ wICHhTiOmrA/S- 

CnwK I v7ll/AAAAAAAAEsA/3esPISPhaKc/sl6QO/BureauOfEn ar 

avin o AndPrint 

ina exploitsmalwarel. pna 

4. httD://blo a .video i s.com/Dost//unauthorized-modification- 
of-video- i s-cdn-files 

5. http://www.fireeve.com/blo a /technical/cvber- 
exDloits/2Q13/Q9/darkleech-savs-hello.html 

6 . 

httDs://www. virustotal.com/en/file/311c27de8d357d9cbe63c 

bf798abad294d2daa467d45b7fb4b9bef4f613d0f33/anal vs 


is/1379521024/ 






































7. 

httDs://www.vi rustotal.com/en/file/a87d2556c8270d35dQdc4 

9a29376fb5Qd685dQ5782cd48f376479a6217474b51/anal vs 

is/1379521163/ 

8 . 

https://www.virustQtal.com/en/file/37Qecf6b98al3b5b379cfl 

deedb5926fdb23dd9bacQ36087cald8alle2eda8f8/anal vs 

9. 

httos://www. virustotal.com/en/fi Ie/e40a7604c087a709ec9b9f 

8a78564dl542c4d221733eb4ebb512b3d52Q2a8eld/anal vs 

10 . 

httos://www. virustotal.com/en/fi Ie/ea3be0fb4367e038c602a 

3de5811821d2367f3326ab2al2f469db4cdaQ6fafa7/anal vs 

11 . 

https://www.virustotal.com/en/file/59d5d28aclbl69bfc39Q5 

Qlfc9d29b5511dec357345df5e38c5aa47675acd5df/anal vs 

12 . 

httos://www. virustotal.com/en/file/ea3be0fb4367e038c6Q2a 

3de5811821d2367f3326ab2al2f469db4cda06fafa7/anal vs 

13. htto://ddanchev.blo as oot.com/2010/04/dissectin a- 
wordpress-blo a s-compromise.html 





















14. httD://ddanchev.blo as DOt.com/2010/05/us-treasurv-site- 
comDromise-linked-to.html 


15. 

https://www.virustotal.com/en/file/e28f368359094d4211Qfba 

e6bbef5cca649eac4ba54Q192827cac7b794bdaab7/anal vs 

is/ 
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You have new notifications. 

A lot has happened on Facebook since you last logged in. Here are some notifications you've missed from your 
friends. 

S ^^nessages 
I Oiend requests 
^ I Iriend suggestions 
® M photo tags 


view Notifications 


Go to Facebook 


--.z.sge ' '5? -er: If Vi..i. / ar * ‘c receive these emaJs froiv "ireir ao- m ~he 

--tjre, please unsubscribe. 

Fs.;cbcok. , After,ti:-,: Der:,a.-t-ir',t 415, PO Box 10005., Palo Alto, CA 94303 


Spamvertised Facebook 'You have friend suggestions, 
friend requests and photo tags' Themed Emaiis 

Lead to Ciient-side Expioits and Maiware (2013-09-28 
13:53) 

A currently circulating malicious 'Facebook notifications" 
themed spam campaign, attempts to trick Facebook's users 















into thinking that they've received a notifications digest for 
the activity that (presumably) took place while they were 

logged out of Facebook. In reality though, once users click on 
any of the links found in the malicious email, they're 

automatically exposed to client-side exploits ultimately 
dropping malware on their hosts. 

Let's dissect the campaign, provide actionable intelligence 
on the campaign's structure, the involved portfolio 

of malicious domains, actual/related MD5s, and as always, 
connect the currently ongoing campaign with two other 

previously profiled malicious campaigns. 

Spamvertised URL: 

hxxp://user4634.vs.easily.co.uk/darkened/PSEUDO _RANDOM 
_CHARACTERS 

Attempts to load the following malicious scripts: 

hxxp://3dbrandscapes.com/starker/manipulator.js 

hxxp://distrigold.eu/compounding/melisa.js 

hxxp://ly-ra.com/shallot/mandalay.js 

Client-side exploits serving URL: 

hxxp://d irectgrid.org/topic/lairtg-nilles-slliks.php 

Malicious domain name reconnaissance: 

directgrid.org - 50.116.10.71 - Email: 
ri ngfields(g)island research, net 



Responding to the following IP (50.116.10.71) are 
also the following malicious domains participating in 
the 

campaign: 

directgrid.biz 
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directgrid.com 

directg rid. info 

directgrid.net 

directgrid.org 

directgrid.us 

gilkjones.com 

integra-inspection.ca 

integra-inspection.co 

integra-inspection.info 

taxipunjab.com 

taxisamritsar.com 

watttrack.com 

The following malicious MD5s are known to have 
been downloaded - related campaigns - from the 
same 


IP (50.116.10.71): 



MD5:7eb6740ed6935da49614d95a43146dea 


MD5: 7768f7039988236165cdd5879934cc5d 

The following malicious MD5s are known to have 
'phoned back' to the same IP (50.116.10.71) over the 
past 

24 hours: 

MD5: a0065f7649db9a885acd34301ae863b0 
MD5: 5503573f4fel5b211956f67c66el8d02 
MD5: 01d757b672673df8032abbaa8acf3e22 
MD5: 7ad68895e5ec9d4f53fc9958c70df01a 
MD5: fd99250ecb845a455499db8dfl780807 
MD5: fd99250ecb845a455499db8dfl780807 
MD5: 3983170d46al30f23471340a47888c93 
MD5: C86c79d9fee925a690a4b0307d7f2329 
MD5: 25f498f7823fl2294c685e9bc79376d2 
MD5: 470f4aa3f76ea3b465741a73ce6c22fe 
MD5: 43b78852a7363d8a4cf7538d4e68c887 
MD5: e3aae430ed4036bl9f26fa2ed9bbe2bf 
MD5: e782619301a0a0a843cedc5d02c563b5 
MD5: fcl6335d0el827b271b031309634dc0f 


MD5: a55e21b0231d0508cb638892b6ee8ec5 



MD5: 053c84cl2900b81506eb884ec9f930c9 

MD5:e03d0dd786b038c570dc53690db0673b 

MD5: 086bl6af34857cb5dfb0163cclc92569 

MD5: e066b50bae491587574603bdfd60826e 

MD5: eb22137880f8c5a03c73135f288afb8a 

MD5: b88392fb63747668c982b6321e5ce712 

MD5: 6254d901bl566bef94e673f833adff8c 

MD5: 258d640b802a0bbe08471f4f064cb94a 

MD5: clcefb742107516c3a73489eael76745 

MD5: al9fld5c98c2d7f036f2693ad6cl4626 

MD5: 3f02f35bc73ad9efl4ab4f960926fd45 

Sample detection rate for the client-side exploits 
serving malicious script: 

[1]MD5: 00f5dl50fflb50c0bbcld038eb676c29 - 

detected by 2 out of 48 antivirus scanners as 
Script.Exploit.Kit.C; 

Troj/ObfJS-EO 
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Sample detection rate for the served exploit: 

[2] MD5: 

d49275523cae83a5e7639bb22604dd86 - detected by 5 
out of 48 antivirus scanners as 

HEUR:Exploit.Java.Generic; HEUR JAVA.EXEC; TROJ 
_GEN.F47V0927 

Upon successful client-side exploitation the campaign 
drops the following malicious sample on the affected 

hosts: 

[3] MD5: 6ef9476e6227ef631b231b66d7a2a08b - 

detected by 7 out of 48 antivirus scanners as 
Win32/Spy.Zbot.AAU; 

Trojan-Spy.Win32.Zbot.qckm; TROJ _GEN.F47V0927 

Once executed, the sample starts listening on ports 3185 
and 7101. 


It also creates the following Mutexes on the system: 

Local] {B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 
Local] {B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 
Local] {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 

Local] {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 
Local] {0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 
Local] {911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A } 
Global] {2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A } 
Global] {B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 
Global] {B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 
Global] {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 
Global] {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 
Global] {0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 
Global] {BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A } 
Global] {3DC7903B-A05A-C62A-11EB-B06D3016937F } 
Global] {3DC7903B-A05A-C62A-75EA-B06D5417937F } 
Global] {3DC7903B-A05A-C62A-4DE9-B06D6C14937F } 
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Global] {3DC7903B-A05A-C62A-65E9-B06D4414937F } 
Global] {3DC7903B-A05A-C62A-89E9-B06DA814937F } 



Global] {3DC7903B-A05A-C62A-BDE9-B06D9C14937F } 
Global] {3DC7903B-A05A-C62A-51E8-B06D7015937F } 
Global] {3DC7903B-A05A-C62A-81E8-B06DA015937F } 
Global] {3DC7903B-A05A-C62A-FDE8-B06DDC15937F } 
Global] {3DC7903B-A05A-C62A-0DEF-B06D2C12937F } 
Global] {3DC7903B-A05A-C62A-5DEF-B06D7C12937F } 
Global] {3DC7903B-A05A-C62A-95EE-B06DB413937F } 
Global] {3DC7903B-A05A-C62A-F1EE-B06DD013937F } 
Global] {3DC7903B-A05A-C62A-89EB-B06DA816937F } 
Global] {3DC7903B-A05A-C62A-F9EF-B06DD812937F } 
Global] {3DC7903B-A05A-C62A-E5EF-B06DC412937F } 
Global] {3DC7903B-A05A-C62A-0DEE-B06D2C13937F } 
Global] {3DC7903B-A05A-C62A-09ED-B06D2810937F } 
Global] {3DC7903B-A05A-C62A-51EF-B06D7012937F } 
Global] {3DC7903B-A05A-C62A-35EC-B06D1411937F } 
Global] {3DC7903B-A05A-C62A-55EF-B06D7412937F } 
Global] {DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A } 
Global] {2E1C200D-106C-D5F1-DBC9-BE58FA349D4A } 
MPS WabDa taAccessMutex 
MPS WABOIkStoreNotIfyMutex 




The following Registry Keys: 

HKEY_CURRENT_USER\Software\MicrosomWaosumag 

And changes the following Registry Values: 

[HKEY_CURRENT_USER\ldentities]-> Identity Login = 
0x00098053 

[HKEY_ CURRENT _ USER\Software 1 Microsoft\ Windo ws 
textbacl<slashCurrentVersion\Run] -> Keby = %AppData 

% 1 Ortuet\l<eby exe 

[HKEY_CURRENT_USER\Software\Microsoft\Waosumag ] -> 
2df3e6ig = 23 CD 87 C3 IE D1 FA C6 28 2E DF 4D 12 21; 

2icbbj3a = 0xC3E6CD13; 185cafc2 = CB D5 E6 C3 F6 D8 CD 
C6 05 2E EF 4D 

It then phones back to the following C &C (command 
and control) servers: 

99.157.164.179 

174.76.94.24 

99.60.68.114 

217.35.75.232 

184.145.205.63 

99.60.111.51 

207.47.212.146 


108.240.232.212 



107.193.222.108 


173.202.183.58 

201.170.83.92 

81.136.188.57 

71.186.174.184 

We've already seen the same IPs (217.35.75.232; 
108.240.232.212) in the following previously profiled mali¬ 
cious campaign - [4]Spaiinvertised "FDIC: Your business 
account" themed emails serve client-side exploits 
and 
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malware. 

We've also seen (107.193.222.108) in the following 
malicious campaign - [5]Spamvertised 'Export 
License/Invoice 

Copy' themed emails lead to malware, indicating that 
all of these campaigns are controlled using the same 
malicious botnet infrastructure. 

The following malicious MD5s are also known to have 
phoned back to the same C &C servers used in this 

campaign, over the past 24 hours: 

MD5: 9f550edbb505e22b0203e766bdlb9982 


MD5:46cdaead83d9e3de803125e45ca88894 



MD5: ffe07e0997d8ec82feb81bac53838d6d 


MD5:28c0bc772aec891a08b06a4029230626 
MD5:C8055c6668dlc4c9cb9d68c2c09cl4d4 
MD5: 0bbabb722el327cbe903ab477716ae2e 
MD5: C4c5db70e7c971e3e556eb9d65f87c84 
MD5: 0ff4d450ce9bleaaef5ed9a5alfa392d 
MD5: e01f435a8c5ed93f6800971505a2cdd2 
MD5: 042508083351b79f01a4d7b7e8e35826 
MD5: If5f75ae82d6aa7099315bfl9d0ae4e0 
MD5:35c4d4c2031157645bb3ale4e709edeb 
MD5: a0065f7649db9a885acd34301ae863b0 
MD5: 5503573f4fel5b211956f67c66el8d02 
MD5: 01d757b672673df8032abbaa8acf3e22 
MD5: fd99250ecb845a455499db8dfl780807 
MD5: Ifab971283479b017dfb79857ecd343b 
MD5: al30cddd61dad9188b9b89451a58af28 
MD5: 2af94e79f9b9ee26032ca863a86843be 
MD5: 8b03a5cf4fl49ac7696dl08bff586cc5 
MD5: 802a522405076d7f8b944b781e4fel33 


MD5: b9c7d2466a689365ebb8f6f607cd3368 



MD5: 43b78852a7363d8a4cf7538d4e68c887 


MD5: C62b6206e9eefe75bal804788dc552f7 

MD5: 385b5358f6alfl5706b536a9dc5bl590 

MD5: e3aae430ed4036bl9f26fa2ed9bbe2bf 

MD5: e782619301a0a0a843cedc5d02c563b5 

MD5: fcl6335d0el827b271b031309634dc0f 

MD5: 4850969b7febc82c8b82296fal29e818 

MD5: 203e0acced8a76560312b452d70ffle7 

MD5:a55e21b0231d0508cb638892b6ee8ec5 

MD5: edbla26ebb8ab5df780b643adlf0d50f 

MD5: 053c84cl2900b81506eb884ec9f930c9 

MD5: e03d0dd786b038c570dc53690db0673b 

MD5: 47d4804fda31b6f88b0d33b86fc681ae 

MD5: 086bl6af34857cb5dfb0163cclc92569 

This post has been reproduced from [6]Dancho 
Danchev's blog . Follow him [7]on Twitter. 

1 . 

httDs://www.vi rustotal.com/en/file/95d3cfd6clf094871f3115 

93c7372670Qalfcc7alf5cfl3cedl317cQ4Q545873/anal vs 

is/138Q362621/ 

2 . 

httos://www.vi rustotal.com/en/fi Ie/bd7c0f52fd7d7e9b20ab9e 






8fl3acll4243a4fQ9433f484f8fbc3b51c7c4465Qd/anal vs 
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3. 

httDs://www.vi rustotal.com/en/fi Ie/8b0e0b269a2e332bae7 56 

304cQ7f392789flcQ215c2b23d52ccl3fblae49fQ76/anal vs 

is/138Q320726/ 

4. htto://www.webroot.com/blo a /2013/09/23/soamvertised- 
fdic-business-account-themed-emails-server-client-sid 

e-exploits-malware/ 

5. http://www.webroot.com/blo a /2Q13/Q7/Q9/spamvertised- 
export-licenseinvoice-co p v-themed-emails-lead-to-malw 

are/ 

6. http://ddanchev.blo as pot.com/ 

7. http://twitter.com/danchodanchev 
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You have new notifications. 

A lot has happened on Facebook since you last logged in. Here are some notifications you've missed from your 
friends. 

S ^]nessages 
I niend requests 
^ I Iriend suggestions 
® M photo tags 


view Notifications 


Go to Facebook 


'■'I;- r-=-i‘ y ' • •’i'' receive these ef.ir f.r:r,i Far-hri.i i,i the 

f Tire, please unsubsaibe. 

Facvbo:-:, Attent: i: Deparime T 415, PO Box :C305, Palo ATo, CA 95503 

Spamvertised Facebook 'You have friend suggestions, 
friend requests and photo tags' Themed Emaiis 

Lead to Ciient-side Expioits and Maiware (2013-09-28 
13:53) 

A currently circulating malicious 'Facebook notifications" 
themed spam campaign, attempts to trick Facebook's users 

into thinking that they've received a notifications digest for 
the activity that (presumably) took place while they were 

logged out of Facebook. In reality though, once users click on 
any of the links found in the malicious email, they're 

automatically exposed to client-side exploits ultimately 
dropping malware on their hosts. 

Let's dissect the campaign, provide actionable intelligence 
on the campaign's structure, the involved portfolio 










of malicious domains, actual/related MD5s, and as always, 
connect the currently ongoing campaign with two other 

previously profiled malicious campaigns. 

Spamvertised URL: 

hxxp://user4634.vs.easily.co.uk/darkened/PSEUDO _RANDOM 
_CHARACTERS 

Attempts to load the following malicious scripts: 

hxxp://3dbrandscapes.com/starker/manipulator.js 

hxxp://distrigold.eu/compounding/melisa.js 

hxxp://ly-ra.com/shallot/mandalay.js 

Client-side exploits serving URL: 

hxxp://d irectgrid.org/topic/lairtg-nilles-slliks.php 

Malicious domain name reconnaissance: 

directgrid.org - 50.116.10.71 - Email: 
ringfields(g)island research, net 

Responding to the following IP (50.116.10.71) are 
also the following malicious domains participating in 
the 

campaign: 

directgrid.biz 
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directgrid.com 



directg rid. info 

directgrid.net 

directgrid.org 

directgrid.us 

gilkjones.com 

integra-inspection.ca 

integra-inspection.co 

integra-inspection.info 

taxipunjab.com 

taxisamritsar.com 

watttrack.com 

The following malicious MD5s are known to have 
been downloaded - related campaigns - from the 
same 

IP (50.116.10.71): 

MD5:7eb6740ed6935da49614d95a43146dea 

MD5: 7768f7039988236165cdd5879934cc5d 

The following malicious MD5s are known to have 
'phoned back' to the same IP (50.116.10.71) over the 
past 

24 hours: 


MD5: a0065f7649db9a885acd34301ae863b0 



MD5: 5503573f4fel5b211956f67c66el8d02 


MD5: 01d757b672673df8032abbaa8acf3e22 
MD5: 7ad68895e5ec9d4f53fc9958c70df01a 
MD5: fd99250ecb845a455499db8dfl780807 
MD5: fd99250ecb845a455499db8dfl780807 
MD5: 3983170d46al30f23471340a47888c93 
MD5: C86c79d9fee925a690a4b0307d7f2329 
MD5: 25f498f7823fl2294c685e9bc79376d2 
MD5: 470f4aa3f76ea3b465741a73ce6c22fe 
MD5: 43b78852a7363d8a4cf7538d4e68c887 
MD5: e3aae430ed4036bl9f26fa2ed9bbe2bf 
MD5: e782619301a0a0a843cedc5d02c563b5 
MD5: fcl6335d0el827b271b031309634dc0f 
MD5: a55e21b0231d0508cb638892b6ee8ec5 
MD5: 053c84cl2900b81506eb884ec9f930c9 
MD5:e03d0dd786b038c570dc53690db0673b 
MD5: 086bl6af34857cb5dfb0163cclc92569 
MD5: e066b50bae491587574603bdfd60826e 
MD5: eb22137880f8c5a03c73135f288afb8a 


MD5: b88392fb63747668c982b6321e5ce712 



MD5: 6254d901bl566bef94e673f833adff8c 

MD5: 258d640b802a0bbe08471f4f064cb94a 

MD5: clcefb742107516c3a73489eael76745 

MD5: al9fld5c98c2d7f036f2693ad6cl4626 

MD5: 3f02f35bc73ad9efl4ab4f960926fd45 

Sample detection rate for the client-side exploits 
serving malicious script: 

[1]MD5: 00f5dl50fflb50c0bbcld038eb676c29 - 

detected by 2 out of 48 antivirus scanners as 
Script.Exploit.Kit.C; 

Troj/ObfJS-EO 
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Sample detection rate for the served exploit: 


[2] MD5: 

d49275523cae83a5e7639bb22604dd86 - detected by 5 
out of 48 antivirus scanners as 

HEUR:Exploit.Java.Generic; HEUR JAVA.EXEC; TROJ 
_GEN.F47V0927 

Upon successful client-side exploitation the campaign 
drops the following malicious sample on the affected 

hosts: 

[3] MD5: 6ef9476e6227ef631b231b66d7a2a08b - 

detected by 7 out of 48 antivirus scanners as 
Win32/Spy.Zbot.AAU; 

Trojan-Spy.Win32.Zbot.qckm; TROJ _GEN.F47V0927 

Once executed, the sample starts listening on ports 3185 
and 7101. 

It also creates the following Mutexes on the system: 

Local] {B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 

Local] {B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 

Local] {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 

Local] {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 

Local] {0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 

Local] {911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A } 

Global] {2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A } 
Global] {B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 



Global] {B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 
Global] {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 
Global] {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 
Global] {0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 
Global] {BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A } 
Global] {3DC7903B-A05A-C62A-11EB-B06D3016937F } 
Global] {3DC7903B-A05A-C62A-75EA-B06D5417937F } 
Global] {3DC7903B-A05A-C62A-4DE9-B06D6C14937F } 
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Global] {3DC7903B-A05A-C62A-65E9-B06D4414937F } 
Global] {3DC7903B-A05A-C62A-89E9-B06DA814937F } 
Global] {3DC7903B-A05A-C62A-BDE9-B06D9C14937F } 
Global] {3DC7903B-A05A-C62A-51E8-B06D7015937F } 
Global] {3DC7903B-A05A-C62A-81E8-B06DA015937F } 
Global] {3DC7903B-A05A-C62A-FDE8-B06DDC15937F } 
Global] {3DC7903B-A05A-C62A-0DEF-B06D2C12937F } 
Global] {3DC7903B-A05A-C62A-5DEF-B06D7C12937F } 
Global] {3DC7903B-A05A-C62A-95EE-B06DB413937F } 
Global] {3DC7903B-A05A-C62A-F1EE-B06DD013937F } 
Global] {3DC7903B-A05A-C62A-89EB-B06DA816937F } 




Global] {3DC7903B-A05A-C62A-F9EF-B06DD812937F } 

Global] {3DC7903B-A05A-C62A-E5EF-B06DC412937F } 

Global] {3DC7903B-A05A-C62A-0DEE-B06D2C13937F } 

Global] {3DC7903B-A05A-C62A-09ED-B06D2810937F } 

Global] {3DC7903B-A05A-C62A-51EF-B06D7012937F } 

Global] {3DC7903B-A05A-C62A-35EC-B06D1411937F } 

Global] {3DC7903B-A05A-C62A-55EF-B06D7412937F } 

Global] {DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A } 

Global] {2E1C200D-106C-D5F1-DBC9-BE58FA349D4A } 

MPS WabDa taAccessMutex 

MPS WABOIkStoreNotIfyMutex 

The following Registry Keys: 

HKEY_CURRENT_USER]Software]Mlcrosoft]Waosumag 

And changes the following Registry Values: 

[HKEY_CURRENT_USER]ldentltles] -> Identity Login = 
0x00098053 

[HKEY _ CURRENT _ USER]Software 1 Microsoft] WIndo ws 
textbacl<slashCurrentVerslon]Run] -> Keby = %AppData 

% 1 Ortuet]l<eby exe 

[HKEY_CURRENT_USER]Software]Mlcrosoft]Waosumag ] -> 
2df3e6lg = 23 CD 87 C3 IE D1 FA C6 28 2E DF 4D 12 21; 



2icbbj3a = 0xC3E6CD13; 185cafc2 = CB D5 E6 C3 F6 D8 CD 
C6 05 2E EF 4D 

It then phones back to the following C &C (command 
and control) servers: 

99.157.164.179 

174.76.94.24 

99.60.68.114 

217.35.75.232 

184.145.205.63 

99.60.111.51 

207.47.212.146 

108.240.232.212 

107.193.222.108 

173.202.183.58 

201.170.83.92 

81.136.188.57 

71.186.174.184 

We've already seen the same IPs (217.35.75.232; 
108.240.232.212) in the following previously profiled mali¬ 
cious campaign - [4]Spamvertised "FDIC: Your business 
account" themed emaiis serve ciient-side expioits 
and 
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malware. 

We've also seen (107.193.222.108) in the following 
malicious campaign - [5]Spamvertised 'Export 
License/Invoice 

Copy' themed emails lead to malware, indicating that 
all of these campaigns are controlled using the same 
malicious botnet infrastructure. 

The following malicious MD5s are also known to have 
phoned back to the same C &C servers used in this 

campaign, over the past 24 hours: 

MD5: 9f550edbb505e22b0203e766bdlb9982 
MD5:46cdaead83d9e3de803125e45ca88894 
MD5: ffe07e0997d8ec82feb81bac53838d6d 
MD5:28c0bc772aec891a08b06a4029230626 
MD5:C8055c6668dlc4c9cb9d68c2c09cl4d4 
MD5: 0bbabb722el327cbe903ab477716ae2e 
MD5: C4c5db70e7c971e3e556eb9d65f87c84 
MD5: 0ff4d450ce9bleaaef5ed9a5alfa392d 
MD5: e01f435a8c5ed93f6800971505a2cdd2 
MD5: 042508083351b79f01a4d7b7e8e35826 
MD5: If5f75ae82d6aa7099315bfl9d0ae4e0 



MD5:35c4d4c2031157645bb3ale4e709edeb 


MD5: a0065f7649db9a885acd34301ae863b0 
MD5: 5503573f4fel5b211956f67c66el8d02 
MD5: 01d757b672673df8032abbaa8acf3e22 
MD5: fd99250ecb845a455499db8dfl780807 
MD5: Ifab971283479b017dfb79857ecd343b 
MD5: al30cddd61dad9188b9b89451a58af28 
MD5: 2af94e79f9b9ee26032ca863a86843be 
MD5: 8b03a5cf4fl49ac7696dl08bff586cc5 
MD5: 802a522405076d7f8b944b781e4fel33 
MD5: b9c7d2466a689365ebb8f6f607cd3368 
MD5: 43b78852a7363d8a4cf7538d4e68c887 
MD5: C62b6206e9eefe75bal804788dc552f7 
MD5: 385b5358f6alfl5706b536a9dc5bl590 
MD5: e3aae430ed4036bl9f26fa2ed9bbe2bf 
MD5: e782619301a0a0a843cedc5d02c563b5 
MD5: fcl6335d0el827b271b031309634dc0f 
MD5: 4850969b7febc82c8b82296fal29e818 
MD5: 203e0acced8a76560312b452d70ffle7 


MD5: a55e21b0231d0508cb638892b6ee8ec5 



MD5: edbla26ebb8ab5df780b643adlf0d50f 


MD5: 053c84cl2900b81506eb884ec9f930c9 

MD5: e03d0dd786b038c570dc53690db0673b 

MD5: 47d4804fda31b6f88b0d33b86fc681ae 

MD5: 086bl6af34857cb5dfb0163cclc92569 

Updates will be posted as soon as new developments take 
place. 

1 . 

httDs://www.vi rustotal.com/en/file/95d3cfd6clf094871f3115 

93c737267QQalfcc7alf5cfl3cedl317cQ4Q545873/anal vs 

is/138Q362621/ 
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2 . 

https://www.virustotal.com/en/flle/bd7cQf52fd7d7e9b20ab9e 

8fl3acll4243a4fQ9433f484f8fbc3b51c7c4465Qd/anal vs 

3. 

httDs://www. Virustotal.com/en/file/8b0e0b269a2e332bae7 56 

3Q4cQ7f392789flc0215c2b23d52ccl3fblae49fQ76/anal vs 

is/138Q32Q726/ 

4. httD://www.webroot.com/blo a /2013/09/23/SDamvertised- 
fdic-business-account-themed-emails-server-client-sid 


e-exoloits-malware/ 
















5. httD://www.webroot.com/blo a /2013/07/09/SDamvertised- 
exDort-licenseinvoice-co D v-themed-emails-lead-to-malw 

are/ 
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Fake Pinterest 'Don't forget to confirm your email!' 
Themed Emails Serve Client-side Exploits and Mal¬ 
ware (2013-10-01 21:12) 

Cybercriminals have just launched yet another massive spam 
campaign, this time attempting to trick Pinterest users 

into thinking that they've received an email confirmation 
request. In reality though, once users click on the links 

found in the malicious emails, they're automatically exposed 
to client-side exploits, with the campaign dropping two 

malware samples on the affected hosts once a successful 
client-side exploitation takes place. 

Let's dissect the campaign, expose the malicious portfolio of 
domains involved in it, provide MD5s of the served 

malware as well as a sample exploit, and provide actionable 
(historical) intelligence regarding related malicious 

activities that have been taking place using same 
infrastructure that's involved in the Pinterest campaign. 








Spamvertised malicious URL: 

boxenteam. com/hatha way/index. html?emailmpss/PSEUDO 
_RANDOM _ CHARACTERS 

Attempts to load the following malicious scripts: 

theodoxos.gr/hairstyles/defiling.js 

web29. webboxl 1.server-home. org/volleyballs/cloture.Js 

knopfJos-combo.de/subdued/opposition.Js 

Sample client-side exploits serving URL: 

pizza pi us Windsor, ca/topic/la test-blog-news, php 

Malicious domain name reconnaissance: 

pizzapluswindsor.ca - 50.116.6.57; 174.140.169.145 
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Responding to the same IP (50.116.6.57) are also the 
following malicious domains part of the campaing's 
infrastructure: 

pizzapluswindsor.ca 

plainidea.com 

procreature.com 

poindextersonpatrol.com 

pixieglitztutus.com 

Known to have responded to the second IP 
(174.140.169.145) are also the following malicious 



domains: 


lesperancerenovations.com 

louievozza.com 

iouvozza.com 

iv-contracting.com 

ivconcorclecontracting.com 

mcbeiectricai.ca 

oiiviagurun.com 

onecabie.ca 

oniyidea.com 

originaipizzapius.ca 

originaipizzapius.com 

papak.ca 

pccreature.com 

pixiegiitztutus.com 

pizzapiuswindsor.ca 

saiti akecityutahcommerciai reaiestate.com 

The following malicious MD5s are known to have 
phoned back to the same IP on the 22nd of 
September, 


2013: 



MD5: 5dl4ee5800fc3c73e4d40567044c4149 


MD5: bdc2ac48921914f25dla3al64266cebc 
MD5: a0b2ba75ba7ad7ad5a5b87a966fddb07 
MD5:31c3eae608247c2901d64643d5626blf 
MD5: 3cff9bba085254f2a524207al388b015 
MD5: b59743a3bl28c9676548510627db4ac5 
MD5: 53004bb63d32792c9bclb8b26db0fl97 
MD5: b59743a3bl28c9676548510627db4ac5 
MD5: 53004bb63d32792c9bclb8b26db0fl97 
MD5: 94e7cf26589baacld47d6834e6375a62 
MD5: 38461b4537fb269b2142e7fbacl6375b 
MD5: 041e9ccce8809371b07f0aclc4d02b33 
MD5: 868cf2c7af8863aebbaeb42clb404b36 
MD5: 7ec71f392dfc98336808ca6e31f25969 
MD5: 6792b758ea961f58ad5b2fleb96a648a 
MD5: 33550cef428cad48ba776eal09fel936 
MD5: af84138bc55192ce722582def2f05200 
MD5: 170524f3457dlfa681cc5dafbcc86199 
MD5: e3af059e42b82b8658f3d05043a5a213 


MD5: 4724783ae2c928b40dd2c0ac6d85cbc4 



MD5: 9b8d87230ee7f553e8a9011a37ca699e 


MD5: e4d63169ddac5e34fe000dc21c88682f 
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MD5: 5f777af07c79369310dff97d04c026cd 

MD5: 200badc2e35ce57fle511aea7322e207 

MD5: 93fel70f26d99aea52b30b74afdf96bc 

MD5: d06a0cc046e99496ada5591d9f457fcl 

MD5: 6f857be5377a7543858aacefea6fla30 

MD5: 92ed463b3c38f2c951c3acd78e7a2df3 

MD5: 8f01cd5ddd6e599e79ddcefbff9c0891 

Detection rate for a sample served exploit from the 
Pinterest themed campaign: 

[1] MD5: 

d49275523cae83a5e7639bb22604dd86 - detected by 5 
out of 48 antivirus scanners as 

HEUR:Exploit.Java.CVE-2012-1723.gen 

Upon successful client-side exploitation, the campaign drops 
two malware samples on the affected hosts. 

Detection rate for the first dropped sample: 

[2] MD5: 

ae840d6ac2f02b4bff85182d2c72a053 - detected by 6 
out of 48 antivirus scanners as 



UDS:DangerousObject. Multi.Generic 

Once executed, it phones back to the following C &C: 

78.140.131.151/uploading/id=REDACTED &u=PSEUDO 
_RANDOM _ CHARACTERS 

The following malicious MD5s are also known to have 
phoned back to the following C &C IP 
(78.140.131.151) in 

the past: 

MD5: ca783e0964e7dcb91fcc2a2ff4b8058f 
MD5: d02b0e60f94d718fcal9893fl3dbd93e 
MD5: 3618032d05cl2e6d25aa4b7bc9086e06 
MD5: 20777b8e6362f8775060fc4fdbl91978 
MD5: 5alfb639f5dd97b62b5cf79c84d479f6 
MD5: 30f8d972566930cl03f9edb7f9bd699e 
MD5: 7011abeefd5c9e7c21e3cbe28cc5e71a 
MD5: bbb57fla5004b6adc016c0c9e92addl9 
MD5: Cca6b7fae6678c4bl7f21b2ed4580404 
MD5: 0decc3f58519c587949dff871fccba5e 
MD5: Ibl8f9138adbd6b4bf7125c7e6a97aae 
MD5: Ie4451cl9f07ef6bde87ffbcecc5afb3 


MD5: e92297e402fcd03f06c94fe52985a3e9 



MD5: 818e329757630bccc9536151f533fad2 


MD5: 79e8677f857531118e61fa9238287acb 
MD5: de8ef966e7e5251b642540e715d673a6 
MD5: 9be83dc4b829ffba26029bl73b36237d 
MD5: C9b3f7888faa393eel4815494a311684 
MD5: d90058b75b8730f9d6bf94a845b3dfda 
MD5: el4b4290eec92ce6cd3e0349cl7bc062 
MD5: 6d5f5419f6all6f4283ae58516ff90al 
MD5: d0587b6e83a70798077e2938af66c50c 
MD5: 12449febf7efed7bceade5720c8f635d 
MD5: 992fc7370b39553ebcb3c03c23cl5517 
MD5: Icl98a6b80bldcf280db30133c26d479 
MD5: 7bb85f458b6b8a0bc98d47447b44c5b6 
MD5: Ia3679c0c7c42781d9ee5b6987efa726 
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MD5: 7d21915fc425b3545c8el56116f91e00 

Detection rate for the second dropped sample: 

[3]MD5: 

83bbe52c8584a5dab07allecc5aaf090 - detected by 3 
out of 48 antivirus scanners as Trojan- 



Spy.Win32.Zbot.qgje; Trojan.Backdoor.RV 

Once executed it starts listening on ports 7867 and 1653. 

The sample then creates the following Mutexes on 
the affected hosts: 

Local\ {B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 
Local\ {B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 
Local\ {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 
Local\ {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 
Local\ {0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 
Local\ {911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A } 
Global\ {2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A } 
Global\ {B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 
Global\ {B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 
Global\ {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 
Global\ {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 
Global\ {0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 
Global\ {BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A } 
Global\ {EFF344E9-7488-141E-11EB-B06D3016937F } 
Global\ {EFF344E9-7488-141E-75EA-B06D5417937F } 
Global\ {EFF344E9-7488-141E-4DE9-B06D6C14937F } 



Global\ {EFF344E9-7488-141E-65E9-B06D4414937F } 
Global\ {EFF344E9-7488-141E-89E9-B06DA814937F } 
Global\ {EFF344E9-7488-141E-BDE9-B06D9C14937F } 
Global\ {EFF344E9-7488-141E-51E8-B06D7015937F } 
Global\ {EFF344E9-7488-141E-81E8-B06DA015937F } 
Global\ {EFF344E9-7488-141E-FDE8-B06DDC15937F } 
Global\ {EFF344E9-7488-141E-0DEF-B06D2C12937F } 
Global\ {EFF344E9-7488-141E-5DEF-B06D7C12937F } 
Global\ {EFF344E9-7488-141E-95EE-B06DB413937F } 
Global\ {EFF344E9-7488-141E-F1EE-B06DD013937F } 
Global\ {EFF344E9-7488-141E-89EB-B06DA816937F } 
Global\ {EFF344E9-7488-141E-F9EF-B06DD812937F } 
Global\ {EFF344E9-7488-141E-E5EF-B06DC412937F } 
Global\ {EFF344E9-7488-141E-0DEE-B06D2C13937F } 
Global\ {EFF344E9-7488-141E-09ED-B06D2810937F } 
Global\ {EFF344E9-7488-141E-51EF-B06D7012937F } 
Global\ {EFF344E9-7488-141E-35EC-B06D1411937F } 
Global\ {EFF344E9-7488-141E-55EF-B06D7412937F } 
Global\ {DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A } 
Global\ {2E1C200D-106C-D5F1-DBC9-BE58FA349D4A } 



MPSWabDataAccessMutex 


MPSWABOIkStoreNotifyMutex 

Once 

executed, 

it 

also 

drops 

MD5: 

2da7bbc5677313c2876b571b39edc7cf 

and 

MD5: 

83bbe52c8584a5dab07allecc5aaf090 on the affected 
hosts. 
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It then phones back to the following C &C (command 
and control servers): 

99.157.164.179 

174.76.94.24 

99.60.68.114 

217.35.75.232 


184.145.205.63 



99.60.111.51 


207.47.212.146 

108.240.232.212 

107.193.222.108 

We've already seen (some of) these C &C IPs in the following 
profiled malicious campaign "[4]Spaiinvertised 

Facebook 'You have friend suggestions, friend 
requests and photo tags' Themed Emaiis Lead to 
Ciient-side Expioits 

and Maiware". 

This post has been reproduced from [5]Dancho 
Danchev's blog . Follow him [6]on Twitter. 

1 . 

httDs://www. Virustotal.com/en/file/bd7c0f52fd7d7e9b20ab9e 

8fl3acll4243a4f09433f484f8fbc3b51c7c44650d/anal vs 

is/1380650108/ 

2 . 

httDs://www. virustotal.com/en/file/2dbc3ad0626cbb577ec31 

9b7a62b07b6899ffa74ad98309a6390623f2cd9cdd2/anal vs 

is/1380650448/ 

3. 

httDs://www. virustotal.com/en/file/db9345188d8b913b7abd5 

ea998f67fb7d4fb7aa054e48c52641e795d9b3c7e28/anal vs 


is/1380650677/ 











4. httD://ddanchev.blo as DOt.com/2013/09/SDamvertised- 
facebook-vou-have-friencl.html 

5. httD://ddanchev.blo as DOt.com/ 

6. httD://twitter.com/danchodanchev 
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Fake Pinterest 'Don't forget to confirm your email!' 
Themed Emails Serve Client-side Exploits and Mal¬ 
ware (2013-10-01 21:12) 

Cybercriminals have just launched yet another massive spam 
campaign, this time attempting to trick Pinterest users 

into thinking that they've received an email confirmation 
request. In reality though, once users click on the links 

found in the malicious emails, they're automatically exposed 
to client-side exploits, with the campaign dropping two 

malware samples on the affected hosts once a successful 
client-side exploitation takes place. 

Let's dissect the campaign, expose the malicious portfolio of 
domains involved in it, provide MD5s of the served 

malware as well as a sample exploit, and provide actionable 
(historical) intelligence regarding related malicious 

activities that have been taking place using same 
infrastructure that's involved in the Pinterest campaign. 

Spamvertised malicious URL: 










boxenteam. com/hatha way/index. html?emailmpss/PSEUDO 
_RANDOM _ CHARACTERS 

Attempts to load the following malicious scripts: 

theodoxos.gr/hairstyles/defiling.js 

web29. webboxl 1.server-home. org/volleyballs/cloture.Js 

knopfJos-combo.de/subdued/opposition.Js 

Sample client-side exploits serving URL: 

pizza pi us Windsor, ca/topic/la test-blog-news, php 

Malicious domain name reconnaissance: 

pizzapluswindsor.ca - 50.116.6.57; 174.140.169.145 
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Responding to the same IP (50.116.6.57) are also the 
following malicious domains part of the campaing's 
infrastructure: 

pizzapluswindsor.ca 

plainidea.com 

procreature.com 

poindextersonpatrol.com 

pixieglitztutus.com 

Known to have responded to the second IP 
(174.140.169.145) are also the following malicious 
domains: 



lesperancerenovations.com 

louievozza.com 

iouvozza.com 

iv-contracting.com 

ivconcorclecontracting.com 

mcbeiectricai.ca 

oiiviagurun.com 

onecabie.ca 

oniyidea.com 

originaipizzapius.ca 

originaipizzapius.com 

papak.ca 

pccreature.com 

pixiegiitztutus.com 

pizzapiuswindsor.ca 

saitiakecityutahcommerciaireaiestate.com 

The following malicious MD5s are known to have 
phoned back to the same IP on the 22nd of 
September, 

2013: 

MD5: 5dl4ee5800fc3c73e4d40567044c4149 



MD5: bdc2ac48921914f25dla3al64266cebc 


MD5: a0b2ba75ba7ad7ad5a5b87a966fddb07 
MD5:31c3eae608247c2901d64643d5626blf 
MD5: 3cff9bba085254f2a524207al388b015 
MD5: b59743a3bl28c9676548510627db4ac5 
MD5: 53004bb63d32792c9bclb8b26db0fl97 
MD5: b59743a3bl28c9676548510627db4ac5 
MD5: 53004bb63d32792c9bclb8b26db0fl97 
MD5: 94e7cf26589baacld47d6834e6375a62 
MD5: 38461b4537fb269b2142e7fbacl6375b 
MD5: 041e9ccce8809371b07f0aclc4d02b33 
MD5: 868cf2c7af8863aebbaeb42clb404b36 
MD5: 7ec71f392dfc98336808ca6e31f25969 
MD5: 6792b758ea961f58ad5b2fleb96a648a 
MD5: 33550cef428cad48ba776eal09fel936 
MD5: af84138bc55192ce722582def2f05200 
MD5: 170524f3457dlfa681cc5dafbcc86199 
MD5: e3af059e42b82b8658f3d05043a5a213 
MD5: 4724783ae2c928b40dd2c0ac6d85cbc4 


MD5: 9b8d87230ee7f553e8a9011a37ca699e 



MD5: e4d63169ddac5e34fe000dc21c88682f 
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MD5: 5f777af07c79369310dff97d04c026cd 

MD5: 200badc2e35ce57fle511aea7322e207 

MD5: 93fel70f26d99aea52b30b74afdf96bc 

MD5: d06a0cc046e99496ada5591d9f457fcl 

MD5: 6f857be5377a7543858aacefea6fla30 

MD5: 92ed463b3c38f2c951c3acd78e7a2df3 

MD5: 8f01cd5ddd6e599e79ddcefbff9c0891 

Detection rate for a sample served exploit from the 
Pinterest themed campaign: 

[1] MD5: 

d49275523cae83a5e7639bb22604dd86 - detected by 5 
out of 48 antivirus scanners as 

HEUR:Exploit.Java.CVE-2012-1723.gen 

Upon successful client-side exploitation, the campaign drops 
two malware samples on the affected hosts. 

Detection rate for the first dropped sample: 

[2] MD5: 

ae840d6ac2f02b4bff85182d2c72a053 - detected by 6 
out of 48 antivirus scanners as 


UDS:DangerousObject. Multi.Generic 



Once executed, it phones back to the following C &C: 

78.140.131.151/uploading/id=REDACTED &u=PSEUDO 
_RANDOM _ CHARACTERS 

The following malicious MD5s are also known to have 
phoned back to the following C &C IP 
(78.140.131.151) in 

the past: 

MD5: ca783e0964e7dcb91fcc2a2ff4b8058f 
MD5: d02b0e60f94d718fcal9893fl3dbd93e 
MD5: 3618032d05cl2e6d25aa4b7bc9086e06 
MD5: 20777b8e6362f8775060fc4fdbl91978 
MD5: 5alfb639f5dd97b62b5cf79c84d479f6 
MD5: 30f8d972566930cl03f9edb7f9bd699e 
MD5: 7011abeefd5c9e7c21e3cbe28cc5e71a 
MD5: bbb57fla5004b6adc016c0c9e92addl9 
MD5: Cca6b7fae6678c4bl7f21b2ed4580404 
MD5: 0decc3f58519c587949dff871fccba5e 
MD5: Ibl8f9138adbd6b4bf7125c7e6a97aae 
MD5: Ie4451cl9f07ef6bde87ffbcecc5afb3 
MD5: e92297e402fcd03f06c94fe52985a3e9 


MD5: 818e329757630bccc9536151f533fad2 



MD5: 79e8677f857531118e61fa9238287acb 


MD5: de8ef966e7e5251b642540e715d673a6 
MD5: 9be83dc4b829ffba26029bl73b36237d 
MD5: C9b3f7888faa393eel4815494a311684 
MD5: d90058b75b8730f9d6bf94a845b3dfda 
MD5: el4b4290eec92ce6cd3e0349cl7bc062 
MD5: 6d5f5419f6all6f4283ae58516ff90al 
MD5: d0587b6e83a70798077e2938af66c50c 
MD5: 12449febf7efed7bceade5720c8f635d 
MD5: 992fc7370b39553ebcb3c03c23cl5517 
MD5: Icl98a6b80bldcf280db30133c26d479 
MD5: 7bb85f458b6b8a0bc98d47447b44c5b6 
MD5: Ia3679c0c7c42781d9ee5b6987efa726 
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MD5: 7d21915fc425b3545c8el56116f91e00 

Detection rate for the second dropped sample: 

[3]MD5: 

83bbe52c8584a5dab07allecc5aaf090 - detected by 3 
out of 48 antivirus scanners as Trojan- 

Spy. Wi n3 2.Zbot.qgje; Trojan.Backdoor.RV 



Once executed it starts listening on ports 7867 and 1653. 

The sample then creates the following Mutexes on 
the affected hosts: 

Local\ {B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 
Local\ {B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 
Local\ {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 
Local\ {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 
Local\ {0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 
Local\ {911F9FCD-AFAC-6AF2-DBC9-BE58FA349D4A } 
Global\ {2E06BA86-8AE7-D5EB-DBC9-BE58FA349D4A } 
Global\ {B0B9FAFD-CA9C-4B54-DBC9-BE58FA349D4A } 
Global\ {B0B9FAFC-CA9D-4B54-DBC9-BE58FA349D4A } 
Global\ {D15F4CEE-7C8F-2AB2-DBC9-BE58FA349D4A } 
Global\ {D15F4CE9-7C88-2AB2-DBC9-BE58FA349D4A } 
Global\ {0BB5ADEF-9D8E-F058-DBC9-BE58FA349D4A } 
Global\ {BB67AFC4-9FA5-408A-DBC9-BE58FA349D4A } 
Global\ {EFF344E9-7488-141E-11EB-B06D3016937F } 
Global\ {EFF344E9-7488-141E-75EA-B06D5417937F } 
Global\ {EFF344E9-7488-141E-4DE9-B06D6C14937F } 
Global\ {EFF344E9-7488-141E-65E9-B06D4414937F } 



Global\ {EFF344E9-7488-141E-89E9-B06DA814937F } 
Global\ {EFF344E9-7488-141E-BDE9-B06D9C14937F } 
Global\ {EFF344E9-7488-141E-51E8-B06D7015937F } 
Global\ {EFF344E9-7488-141E-81E8-B06DA015937F } 
Global\ {EFF344E9-7488-141E-FDE8-B06DDC15937F } 
Global\ {EFF344E9-7488-141E-0DEF-B06D2C12937F } 
Global\ {EFF344E9-7488-141E-5DEF-B06D7C12937F } 
Global\ {EFF344E9-7488-141E-95EE-B06DB413937F } 
Global\ {EFF344E9-7488-141E-F1EE-B06DD013937F } 
Global\ {EFF344E9-7488-141E-89EB-B06DA816937F } 
Global\ {EFF344E9-7488-141E-F9EF-B06DD812937F } 
Global\ {EFF344E9-7488-141E-E5EF-B06DC412937F } 
Global\ {EFF344E9-7488-141E-0DEE-B06D2C13937F } 
Global\ {EFF344E9-7488-141E-09ED-B06D2810937F } 
Global\ {EFF344E9-7488-141E-51EF-B06D7012937F } 
Global\ {EFF344E9-7488-141E-35EC-B06D1411937F } 
Global\ {EFF344E9-7488-141E-55EF-B06D7412937F } 
Global\ {DDB39BDC-ABBD-265E-DBC9-BE58FA349D4A } 
Global\ {2E1C200D-106C-D5F1-DBC9-BE58FA349D4A } 
MPSWabDataAccessMutex 



MPSWABOIkStoreNotifyMutex 

Once 

executed, 

it 

also 

drops 

MD5: 

2da7bbc5677313c2876b571b39edc7cf 

and 

MD5: 

83bbe52c8584a5dab07allecc5aaf090 on the affected 
hosts. 
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It then phones back to the following C &C (command 
and control servers): 

99.157.164.179 

174.76.94.24 

99.60.68.114 

217.35.75.232 

184.145.205.63 


99.60.111.51 



207.47.212.146 


108.240.232.212 

107.193.222.108 

We've already seen (some of) these C &C IPs in the following 
profiled malicious campaign "[4]Spaiinvertised 

Facebook 'You have friend suggestions, friend 
requests and photo tags' Themed Emaiis Lead to 
Ciient-side Expioits 

and Maiware". 

Updates wiii be posted as soon as new deveiopments 
take piace. 

1 . 

httDs://www. Virustotal.com/en/file/bd7c0f52fd7d7e9b20ab9e 

8fl3acll4243a4f09433f484f8fbc3b51c7c44650d/anal vs 

is/1380650108/ 

2 . 

httDs://www. virustotal.com/en/file/2dbc3ad0626cbb577ec31 

9b7a62b07b6899ffa74ad98309a6390623f2cd9cdd2/anal vs 

is/1380650448/ 

3. 

httDs://www. virustotal.com/en/file/db9345188d8b913b7abd5 

ea998f67fb7d4fb7aa054e48c52641e795d9b3c7e28/anal vs 

is/1380650677/ 

4. http://ddanchev.blo as pot.eom/2013/09/spamvertised- 
facebook-vou-have-friencl.html 
















Summarizing Webroot's Threat Biog Posts for 
September (2013-10-02 16:10) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Biog for September, 2013. You can 

subscribe to [2]Webroot's Threat Biog RSS Feed, or 

follow me on Twitter: 

01. [3]DIY malicious Android APK generating 'sensitive 
information stealer' spotted in the wild 

02. [4]Scammers pop up in Android's Calendar App 

03. [5]Web-based DNS amplification DDoS attack mode 
supporting PHP script spotted in the wild 

04. [6]Managed Malicious Java Applets Hosting Service 
Spotted in the Wild 

05. [7]Affiliate network for mobile malware impersonates 
Google Play, tricks users into installing premium-rate SMS 

sending rogue apps 

06. [8J419 advance fee fraudsters abuse CNN's 'Email This' 
Feature, spread Syrian Crisis themed scams 

07. [9]Cybercriminals offer anonymous mobile numbers for 
'SMS activation', video tape the destruction of the SIM 


card on request 
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08. [10]Yet another 'malware-infected hosts as 
anonymization stepping stones' service offering access to 
hundreds of compromised hosts spotted in the wild 

09. [ll]Cybercriminals experiment with 
'Socks4/Socks5/HTTP' malware-infected hosts based DIY DoS 
tool 

10. [12]Cybercriminals sell access to tens of thousands of 
malware-infected Russian hosts 

11. [13]Spamvertised "FDIC: Your business account" themed 
emails serve client-side exploits and malware 

12. [14]Cybercriminals experiment with Android compatible, 
Python-based SQL injecting releases 

13. [15]Newly launched E-shop offers access to hundreds of 
thousands of compromised accounts 

14. [16]DIY commercial CAPTCHA-solving automatic email 
account registration tool available on the underground 

market since 2008 

15. [17]Yet another subscription-based stealth Bitcoin 
mining tool spotted in the wild 

This post has been reproduced from [18]Dancho 
Danchev's blog . Follow him [19]on Twitter 

1 . httD://www. webroot.com/blo a 

2. httD://feeds2.feedburner.com/WebrootThreatBlo a 




3. httD://www.webroot.com/blo a /2013/09/06/div-malicious- 
android-aDk- a eneratin a -sensitive-information-stealer 

-S DOtted-wild/ 

4. httD://www.webroot.com/blo a /2013/09/09/scammers- DOD- 
androids-calendar-a pp/ 

5. httD://www.webroot.com/blo a /2013/09/10/web-based-dns- 
amplification-ddos-attack-mode-su p portin a-ph p-scri pt 

-s potted-wild/ 

6. http://www.webroot.com/blo a /2Q13/Q9/ll/mana a ed- 
malicious- i ava-a o Dlets-hostin a -service-SDOtted-wild/ 

7. httD://www.webroot.com/blo a /2Q13/Q9/18/affiliate- 
network-mobile-malware-imoersonates- a oo a le-Dlav-tricks-u 

sers-installin a- Dremium-rate-sms-sendin a -ro a ue-a oDs/ 

8 . 

httD://www.webroot.com/blo a /2Q13/Q9/18/419-advance-fee- 

fraudsters-abuse-cnns-email-feature-soread-svrian- 

crisis-themed-scams/ 

9. httD://www.webroot.com/blo a /2Q13/Q9/19/cvbercriminals- 
offer-anonvmous-mobile-numbers-sms-activation-video 

-taoe-destruction-sim-reauest/ 

IQ. httD://www.webroot.com/blo a /2Q13/Q9/2Q/vet-another- 
malware-infected-hosts-anonymization-ste o Din a -stones-s 

ervice-offerin a -access-hundreds-comoromised-hosts-SDOtt 


























































11 . 

httD://www.webroot.com/blo a /2013/09/20/cvbercriminals- 

release-new-socks4socks5-malware-infected-hosts-bas 


ed-div-d os-tool/ 

12 . 

http://www.webroot.eom/blo a /2013/09/23/cvbercriminals- 

sell-access-tens-thousands-malware-infected-russian 


-hosts/ 

13. httD://www.webroot.com/blo a /2013/09/23/SDamvertised- 
fdic-business-account-themed-emails-server-client-sid 


e-exoloits-malware/ 

14. 

httD://www.webroot.com/blo a /2013/09/24/cvbercriminals- 

exDeriment-android-based-sal-in i ectin g-D vthon-based 

-releases/ 

15. httD://www.webroot.com/blo a /2013/09/25/newl v- 
launched-e-shoD-offers-access-hundreds-thousands- 
compromised 

-accounts/ 

16. httD://www.webroot.com/blo a /2013/09/27/di v- 
commercial-captcha-solvin a -automatic-email-account- 
rea istratio 

n-tool-available-under a round-market-since-2008/ 

17. httD://www.webroot.com/blo a /2013/09/27/vet-another- 
subscriDtion-based-stealth-bitcoin-minin a -tool-sDotted 

















































-wild/ 

18. httD://ddanchev.blo as DOt.com/ 

19. httD://twitter.com/danchodanchev 
733 

1.11 

November 


734 






Summarizing Webroot's Threat Biog Posts for 
October (2013-11-01 17:54) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Biog for October, 2013. You can 
subscribe to [2]Webroot's Threat Biog RSS Feed, or 

follow me on Twitter: 

01. [3]A peek inside a Blackhat SEO/cybercrime-friendly 
doorways management platform 

02. [4]Newly launched 'HTTP-based botnet setup as a 
service' empowers novice cybercriminals with bulletproof 

hosting capabilities - part two 

03. [5]'T-Mobile MMS message has arrived' themed emails 
lead to malware 

04. [6]DDoS for hire vendor 'vertically integrates' starts 
offering TDoS attack capabilities 






05. [7]Commercially available Blackhat SEO enabled multi- 
third-party product licenses empowered VPSs spotted in 

the wild 

06. [8]New cybercrime-friendly iFrames-based E-shop for 
traffic spotted in the wild 

07. [9]Cybercriminals offer spam-friendly SMTP servers for 
rent - part two 

08. [10]Newly launched VDS-based cybercrime-friendly 
hosting provider helps facilitate fraudulent/malicious online 

activity 

09. [ll]Fake 'You have missed emails' GMail themed emails 
lead to pharmaceutical scams 

10. [12]Compromised Turkish Government Web site leads to 
malware 

11. [13]Novice cyberciminals offer commercial access to five 
mini botnets 

12. [14]Spamvertised T-Mobile 'Picture IDType:MMS" 
themed emails lead to malware 

13. [15]Yet another Bitcoin accepting E-shop offering access 
to thousands of hacked PCs spotted in the wild 

14. [16]Malicious 'FW: File' themed emails lead to malware 

15. [17]Mass iframe injection campaign leads to Adobe Flash 
exploits 

16. [18]Rogue ads lead to the 'Mipony Download 
Accelerator/FunMoods Toolbar' PUA (Potentially Unwanted 



Application) 

17. [19]A peek inside the administration panel of a 
standardized E-shop for compromised accounts 

18. [20]U.K users targeted with fake 'Confirming your Sky 
offer' malware serving emails 

19. [21]New DIY compromised hosts/proxies syndicating tool 
spotted in the wild 
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20. [22]Rogue ads lead to the 'EzDownloaderpro' PUA 
(Potentially Unwanted Application) 

21. [23]Fake 'Scanned Image from a Xerox WorkCentre' 
themed emails lead to malware 

22. [24]Fake 'Important: Company Reports' themed emails 
lead to malware 

23. [25]Cybercriminals release new commercially available 
Android/BlackBerry supporting mobile malware bot 

24. [26]Fake WhatsApp 'Voice Message Notification/1 New 
Voicemail' themed emails lead to malware 

This post has been reproduced from [27]Dancho 
Danchev's blog . Follow him [28]on Twitter 
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Malicious Script Artifacts at China Green Dot Gov Dot 
Cn - A Reminiscence of Asprox's Muiti-Tasking 

Activities (2013-11-04 18:33) 

Malware artifacts, [l]abandoned mass iframe 
[2]embedded/injected campaigns, and low Quality 
Assurance (QA) 







































campaigns, continue popping up on everyone's radar, raising 
eyebrows as to the extend of incompetence, possible 

evasive tactics, plain simple lack of applied QA when 
maintaining these campaigns, or the end of a campaign's life 

cycle. 

What's the value of assessing such a non-active campaign? 
Can the analysis provide any clues into related cur¬ 
rently active malicious campaigns that typically for such type 
of campaigns, continue relying on the same malicious 

infrastructure? But of course. 

Let's assess the malicious artifacts at 
hxxp://chinagreen.gov.cn, connect them to the multi¬ 
tasking activities 

conducted on behalf of the Asprox botnet, as well as several 
spamvertised malware campaigns circa 2010, and 

most importantly provide actionable intelligence on currently 
active campaigns that continue using the very same 

infrastructure for command and control purposes. 

Malicious scripts at China Green Dot Gov Dot CN: 

update.webserviceftp.ru/js.js- seen in "[3]Dissecting the 
Xerox WorkCentre Pro Scanned Document Themed 

Campaign" 

gdi.webserviceftp.ru/js.js- seen in "[4]Dissecting the 
Xerox WorkCentre Pro Scanned Document Themed 
Campaign" 



verwebserivcekota.ru/js.js- seen in "[5]Dissecting the 
Xerox WorkCentre Pro Scanned Document Themed 
Cam¬ 
paign" 

batch.webserviceaan.ru/js.js- seen in "[6]Dissecting the 
Xerox WorkCentre Pro Scanned Document Themed 

Campaign" 

nemohuiiciiin.ru/tcis/go.php?sici=l - seen in "[7]Dissecting 
the Xerox WorkCentre Pro Scanned Document 
Themed Campaign" 

parkperson.ru:8080/index.php?pici=13 - seen in " 

[ 8 ] Spamvertised Best Buy, Macy's, Evite and Target 
Themed 

Scareware/Expioits Serving Campaign" 

nutcountry.ru:8080/index.php?pid=13 - seen in " 

[9] Spamvertised Best Buy, Macy's, Evite and Target 
Themed 

Scareware/Expioits Serving Campaign" 

What's so special about the spamvertised XeroxWorkCentre 
Pro campaign is that, back in 2010, it used to 

drop an Asprox sample, naturally phoning back to well known 
Asprox C &Cs at the time. 

nemohuiidiin.ru is known to have responded to 
31.31.204.61 and most recently to 5.63.152.19 

Known to have responded to the same iP 
(31.31.204.61) are aiso the foiiowing maiicious 



domains: 


000sstd.com 

02143.ru 

03111991.ru 

0414.ru 

0424.ru 

050175.ru 

054ru.ru 

737 

06140.ru 

0664346910.ru 

0801.ru 

08108.ru 

087474.ru 

08755.ru 

0925.ru 

0go.ru 

1-androds.ru 

10000taxi.ru 


1001domains.ru 



100yss.ru 

124k.ru 


Moreover, we also got a decent number of malicious MD5s 
known to have used the same IP as C &C ove the 

last couple of months, indicating that the artifact is still part 
of the C &C infrastructure of active campaigns. 

The following malicious MD5s are also known to have 
phoned back to the same IP over the last couple of 

months: 

MD5: 3e3d249c43950ac8bedb937flea347f5 
MD5: 398b5f0c4b8f9adbldb8420801b52562 
MD5: 9al602a2693ae510339ef5f0d25be0b3 
MD5: 9bc423773de47d95del718173ec8485f 
MD5: 637db36286b3e300c37e99a0b4772548 
MD5: 9829c64613909fbbl3fc402f23bafflb 
MD5: f23562bafd94f7b836633flfb7f9el8f 
MD5: 7d263c93829447b2399c2e981d66c9df 
MD5: 6ee37ead84906711cb2eed6d7f2fcc88 
MD5: 54eb099176e7d65817dlb9789845ee4e 
MD5: 723618efbd0d3627da09a770e5fd28c2 
MD5: 151030c819209af9b7b2ecf2f5c31aa0 



MD5: 279d390b9116f0f8ac80321e5fa43453 


MD5: f78ff547ce388a403f5ba979025cd556 

MD5: afa7090479ac49a3547931fe249c52e3 

MD5: a2565684ae4c0af5a99214da83664927 

MD5: Ce4f032a3e478f4d4cac959b2e999b5a 

Known to have responded to 5.63.152.19 are also the 
following malicious domains: 

6tn.ru 

azosi.ru 

bi-news.ru 

buygroup.ru 

dnpsirius.ru 

enterplus.ru 

nemohuildiin.ru 

nfs-worlds.ru 

rassylka-na-doski.ru 

santehnikaoptom.ru 

v-odnoklassniki.ru 
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In a cybercrime ecosystem dominated by leaked [10]DIY 
mass Web site hacking tools, and [ll]sophisticated 



iframe-ing platforms, malicious artifacts are a great 
reminder that as long as the Web site remains susceptible to 

remote exploitation, it's only a matter of time before a 
potential cybercriminal embeds/injects malicious script on it. 

That's cybercrime-friendly common sense. 

This post has been reproduced from [12]Dancho 
Danchev's blog . Follow him [13Jon Twitter 
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buv-macvs-evite-and.html 


10. httD://www.webroot.com/blo a /2013/ll/01/Deek-inside- 
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Malicious Script Artifacts at China Green Dot Gov Dot 
Cn - A Reminiscence of Asprox's Muiti-Tasking 

Activities (2013-11-04 18:33) 

Malware artifacts, [l]abandoned mass iframe 
[2]embedded/injected campaigns, and low Quality 
Assurance (QA) 

campaigns, continue popping up on everyone's radar, raising 
eyebrows as to the extend of incompetence, possible 

evasive tactics, plain simple lack of applied QA when 
maintaining these campaigns, or the end of a campaign's life 

cycle. 

What's the value of assessing such a non-active campaign? 
Can the analysis provide any clues into related cur- 



























rently active malicious campaigns that typically for such type 
of campaigns, continue relying on the same malicious 

infrastructure? But of course. 

Let's assess the malicious artifacts at 
hxxp://chinagreen.gov.cn, connect them to the multi¬ 
tasking activities 

conducted on behalf of the Asprox botnet, as well as several 
spamvertised malware campaigns circa 2010, and 

most importantly provide actionable intelligence on currently 
active campaigns that continue using the very same 

infrastructure for command and control purposes. 

Malicious scripts at China Green Dot Gov Dot CN: 

update.webserviceftp.ru/js.js- seen in "[3]Dissecting the 
Xerox WorkCentre Pro Scanned Document Themed 

Campaign" 

gdi.webserviceftp.ru/js.js- seen in "[4]Dissecting the 
Xerox WorkCentre Pro Scanned Document Themed 
Campaign" 

ver.webserivcekota.ru/js.js - seen in "[5]Dissecting the 
Xerox WorkCentre Pro Scanned Document Themed 
Cam¬ 
paign" 

batch.webserviceaan.ru/js.js- seen in "[6]Dissecting the 
Xerox WorkCentre Pro Scanned Document Themed 


Campaign" 



nemohuildiin.ru/tds/go.php?sid=l - seen in "[7]Dissecting 
the Xerox WorkCentre Pro Scanned Document 
Themed Campaign" 

pari<person.ru:8080/index.php?pid=13 - seen in " 

[ 8 ] Spamvertised Best Buy, Macy's, Evite and Target 
Themed 

Scareware/Exploits Serving Campaign" 

nutcountry.ru:8080/index.php?pid=13 - seen in " 

[9] Spamvertised Best Buy, Macy's, Evite and Target 
Themed 

Scareware/Expioits Serving Campaign" 

What's so special about the spamvertised XeroxWorkCentre 
Pro campaign is that, back in 2010, it used to 

drop an Asprox sample, naturally phoning back to well known 
Asprox C &Cs at the time. 

nemohuiidiin.ru is known to have responded to 
31.31.204.61 and most recently to 5.63.152.19 

Known to have responded to the same iP 
(31.31.204.61) are aiso the foiiowing maiicious 
domains: 

000sstd.com 

02143.ru 

03111991.ru 

0414.ru 


0424.ru 



050175.ru 


054ru.ru 

740 

06140.ru 

0664346910.ru 

0801.ru 

08108.ru 

087474.ru 

08755.ru 

0925.ru 

0go.ru 

1-androds.ru 

10000taxi.ru 

1001domains.ru 

100yss.ru 

124k.ru 

Moreover, we also got a decent number of malicious MD5s 
known to have used the same IP as C &C ove the 

last couple of months, indicating that the artifact is still part 
of the C &C infrastructure of active campaigns. 



The following malicious MD5s are also known to have 
phoned back to the same IP over the last couple of 

months: 

MD5: 3e3d249c43950ac8bedb937flea347f5 
MD5: 398b5f0c4b8f9adbldb8420801b52562 
MD5: 9al602a2693ae510339ef5f0d25be0b3 
MD5: 9bc423773de47d95del718173ec8485f 
MD5: 637db36286b3e300c37e99a0b4772548 
MD5: 9829c64613909fbbl3fc402f23bafflb 
MD5: f23562bafd94f7b836633flfb7f9el8f 
MD5: 7d263c93829447b2399c2e981d66c9df 
MD5: 6ee37ead84906711cb2eed6d7f2fcc88 
MD5: 54eb099176e7d65817dlb9789845ee4e 
MD5: 723618efbd0d3627da09a770e5fd28c2 
MD5: 151030c819209af9b7b2ecf2f5c31aa0 
MD5: 279d390b9116f0f8ac80321e5fa43453 
MD5: f78ff547ce388a403f5ba979025cd556 
MD5: afa7090479ac49a3547931fe249c52e3 
MD5: a2565684ae4c0af5a99214da83664927 


MD5: Ce4f032a3e478f4d4cac959b2e999b5a 



Known to have responded to 5.63.152.19 are also the 
following malicious domains: 

6tn.ru 

azosi.ru 

bi-news.ru 



buygroup.ru 

dnpsirius.ru 

enterplus.ru 

nemohuildiin.ru 

nfs-worlds.ru 

rassylka-na-doski.ru 

santehnikaoptom.ru 

v-odnoklassniki.ru 
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In a cybercrime ecosystem dominated by leaked [10]DIY 
mass Web site hacking tools, and [ll]sophisticated 
iframe-ing platforms, malicious artifacts are a great 
reminder that as long as the Web site remains susceptible to 

remote exploitation, it's only a matter of time before a 
potential cybercriminal embeds/injects malicious script on 
it. 

That's cybercrime-friendly common sense. 

Updates will be posted as soon as new developments take 
place. 
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Scareware, Blackhat SEO, Spam and Google Groups 
Abuse, Courtesy of the Koobface Gang 

(2013-11-04 18:36) 

The Koobface gang is known to have embraced the potential 
of the "underground multi-tasking" model a long 

time ago, in order to achieve the "malicious economies of 
scale" effect. This "underground multi-tasking" most 
commonly comes in the form of multiple monetization 
campaigns, which upon closer analysis always lead back to 
the 

Koobface gang's infrastructure. In fact, the gang is so 
obsessed with efficiency, that particular redirectors and key 
ma¬ 
licious domains for a particular campaign, are also, 
simultaneously rotated across all the campaigns that they 
manage. 

For instance, throughout the past half an year, a huge 
percentage of the malicious infrastructure used simulta¬ 
neously in multiple campaigns, was parked on the [l]now 
shut down Riccom LTD - AS29550. From the [2]massive 

blackhat SEO campaigns affecting millions of legitimate 
web sites managed by the gang, to the [3]malvertising 
attack 

at the New York Times web site, and [4]the click-fraud 
facilitating [5]Bahama botnet, the Koobface botnet is only 
the 



tip of the iceberg for the efficient and fraudulent money 
machine that the gang operates. 
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In this analysis, I'll once again establish a connection 
between the ongoing blackhat SEO campaigns managed by 
the 

gang ( [6]Blackhat SEO Campaign Hijacks U.5 Federai Form 
Keywords, Serves Scareware; [7JU.S Federai Forms Biackhat 

SEO Themed Scareware Campaign Expanding; [BJDissecting 
the Ongoing U.S Federai Forms Themed Biackhat SEO 

Campaign), with a spam campaign that's also syndicated 
across multiple Google Groups, and the Koobface botnet 

itself, with a particular emphasis on the scareware 
monetization taking place across all the campaigns. 

Related Koobface research and analysis: 

[9] The Koobface Gang Wishes the Industry "Happy 
Holidays" 

[10] Koobface-Friendly Riccom LTD - AS29550 - (Finally) 

Taken Offline 

[11] Koobface Botnet Starts Serving Client-Side Exploits 

[12] Massive Scareware Serving Biackhat SEO, the Koobface 
Gang Style 

[13] Koobface Botnet's Scareware Business Model - Part Two 


[14] Koobface Botnet's Scareware Business Model - Part One 

[15] Koobface Botnet Redirects Facebook's IP Space to my 
Blog 

[16] New Koobface campaign spoofs Adobe's Flash updater 

[17] Social engineering tactics of the Koobface botnet 

[18] Koobface Botnet Dissected in a TrendMicro Report 

[19] Movement on the Koobface Front - Part Two 
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[20] Movement on the Koobface Front 
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Facebook FarmTown Malvertising Campaign Courtesy 
of the Koobface Gang (2013-11-04 18:36) 

Earlier this week, another malvertising campaign affected a 
popular community, in the face of Facebook's FarmTown. 

You have to analyze, and cross-check it to believe it. 

Key summary points: 

• the email test@now.net.cn used to register all the domains 
involved in the malvertising campaign, is exclusively 

used by the Koobface gang for numerous scareware 
registrations seen - 

a 
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Money Mule Recruiters Trick Mules Into Installing 
Fake Transaction Certificates (2013-11-04 18:37) 


















What is more flattering than Ukrainian blackhat SEO gangs 
using name as redirectors, including offensive messages, 

the Koobface gang redirecting Facebook's IP space to your 
blog, or a plain simple danchodanchev admin panel within 

a Crime Pack kit? 

It's the money mule recruiters who modify the HOSTS file of 
gullible mules to redirect ddanchev.blogspot.com and 

bobbear.co.uk to 127.0.0.1. Now that's flattering, 
considering the fact that my public money mule ecosystem 
related research represents a tiny percentage of the real 
profiling/activities taking place behind the curtains. 

a 

Related coverage of money laundering/recruitment 
in the context of cybercrime: 

[1] Keeping Money Mule Recruiters on a Short Leash - Part 
Four 

[2] Money Mule Recruitment Campaign Serving Client-Side 
Exploits 

[3] Keeping Money Mule Recruiters on a Short Leash - Part 
Three 

[4] Money Mule Recruiters on Yahool's Web Hosting 

[5] Dissecting an Ongoing Money Mule Recruitment 
Campaign 

[6] Keeping Money Mule Recruiters on a Short Leash - Part 
Two 



[7] Keeping Reshipping Mule Recruiters on a Short Leash 

[8] Keeping Money Mule Recruiters on a Short Leash 

[9] Standardizing the Money Mule Recruitment Process 

[10] lnside a Money Laundering Group's Spamming 
Operations 

[11] Money Mule Recruiters use ASProx's Fast Fluxing 
Services 

[12] Money Mules Syndicate Actively Recruiting Since 2002 
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A Peek Inside a Customer-ized API-enabled DIY 
Online Lab for Generating Multi-OS Mobile Malware 

(2013-11-12 02:57) 

The exponential growth of mobile malware over the last 
couple of years, can be attributed to a variety of 'growth fac¬ 
tors', the majority of which continue playing an inseparable 
role in the overall success and growth of the cybercrime 

ecosystem in general. 

Tactics like [Ijstandardization, efficiency-oriented 
monetization, systematic bypassing of industry 





























accepted/massively adopted security measures like 
signatures-based antivirus scanning, [2]affiliate networks 
helping cybercriminals 

secure revenue streams for their malicious/fraudulent 
tactics, techniques and procedures (TTPs), as well as pseudo 

legal distribution of deceptive software - think scaware with 
long EULAs and ToS-es - as well as mobile applications 

- think [3]subscription based premium rate SMS 
malware with long EULAs and ToS-es - continue 
dominating the 

arsenal of tactics that any cybercriminal aspiring the occupy 
a market share in any market segment within the 

cybercrime ecosystem, can easily take advantage of in 
2013. 

What has changed over the last couple of years, in terms of 
concepts? A lot. For instance, back in 2007, ap¬ 
proximately one year after I (publicly) anticipated the 
upcoming and inevitable [4]monetization of mobile 
malware, 

the Red Browser started making its rounds, proving that I 
was sadly wrong, and once again, money and greed - 

or plain simple profit maximization to others - would play a 
crucial role in this emerging back then, cybercrime 

ecosystem market segment for mobile malware. [5]Similar 
monetization attempts on behalf of cybercriminals, then 



followed, to further strengthen the ambitions of 
cybercriminals into this emerging market segment. 

With "[6]malicious economies of scale" just starting to 
materialize at the time, it didn't take long before the 
concept started getting embedded into virtually each and 
every cybercrime-friendly product/service advertised 

on the market. Thanks to [7]Symbian OS dominating the 
mobile operating system at the time, opportunistic 

cybercriminals quickly adapted to steal a piece of the pie, 
by releasing multiple [8]Symbian based malware 
variants. 

Sharing is caring, therefore, here are some MD5s from the 
Symbian malicious code that used to dominate the threat 

landscape, back then. 

Symbian OS malware MD5s from that period of time, 
for historical OSINT purposes: 

MD5:a4a70d9c3dbe955dd88ea6975dd909d8 

MD5: 98f7cfd42df4a01e2c4f2ed6d38clafl 

MD5: 6fd6b68ed3a83b2850fe293c6db8d78d 

MD5: 38837c60e2d87991c6c754f8a6fb5c2d 

MD5: ace9c6c91847b29aefa0a50d3b54bac5 

MD5: 3fl828f58d676d874a3473clcd01a431 

MD5: 2163ef88da9bd31f471087a55f49dlbl 


MD5: 0a04f6fed68dec7507d7bf246aa265eb 



MD5: ad4a9c68f631d257bd76490029227e41 


MD5: 7a4639488b4698fl31e42de56ceeb45d 
MD5: fa3de591d3a7353080b724a294dca394 
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MD5: 5ba5fad8923531784cd06aledc6e0001 
MD5: 66abbd9a965b2213f895e297f40552e5 
MD5: 92b069eflfd9a5d9c78a2d3682cl6b8f 
MD5: a494dallf47a853308bfdb3c0705f4el 
MD5: 9f38eff6c58667880dlff9feb9093dcb 
MD5: a8a3ac5f7639d82b24e9eb4f9ec5981c 
MD5: 0ebc8e9f5ec72a0ff73a73d81dc6807d 
MD5: a3cd8f8302a69e786425e51467ad5f7c 
MD5: 38837c60e2d87991c6c754f8a6fb5c2d 
MD5: 522a8efdc382b38e336d4735a73e6b23 
MD5: 052abb9b41f07192e8a02f0746e80280 
MD5: 712all84c5fcl811192cba5cc7feda51 
MD5: bdae8a51d4fl2762b823e42aa6c3fa0a 
MD5:aec4b95aa8d80ee9a57dllcbl6ce75ba 
MD5: 6b854f2171cca50f49dlace2d454065a 


MD5: 945279ce239d2370e4a65b4fl09b533b 



MD5:Cde433d371228fb7310849c03792479e 


MD5:957265e799246225e078a6d65bde5717 
MD5:Cde433d371228fb7310849c03792479e 
MD5: Ifl074b709736fe4504302cbc06fd0f6 
MD5: Icd241a5ea55eb25baf50af25629af27 
MD5: 60d9a75b5d3320635f9e33fe76b9b836 
MD5: e23f69eea5fa000f259e417b64210d42 
MD5: 36503b8a9e2c39508a50eb0bdbb66370 
MD5: Ifl074b709736fe4504302cbc06fd0f6 
MD5: dal3e08a8778fa4eald60e8bl26e27be 
MD5: 642495185b4b22d97869007fcbc0e00f 
MD5: 9af5d82f330bbc03f35436b3cc2fba3a 
MD5: 6099516a39abb73f9d7f99167157d957 
MD5: 6c75b3e9bf4625dclb754073a2d0c4fl 
MD5: e23f69eea5fa000f259e417b64210d42 
MD5: ffb37b431edlf0ac5764b57fa8d4cced 
MD5: Icd241a5ea55eb25baf50af25629af27 
MD5: b3055e852b47979a774575c09978981a 
MD5: 9f38eff6c58667880dlff9feb9093dcb 


MD5: 945279ce239d2370e4a65b4fl09b533b 



MD5:66a0bbebbel4939706093aa5831b53a7 


MD5: 30a2797f33ecb66524e01a63e49485dd 
MD5: 785e921ea686c2fc8514fac94dd8a9cd 
MD5: 69a68bdcbad227d5d8dla27dd9c30ce7 
MD5: f246bl01bc66fe36448d0987a36c3e0a 
MD5: 4fd086a236c2f3c70b7aa869fa73f762 
MD5: 642495185b4b22d97869007fcbc0e00f 
MD5: fd8b784df4bbb8082a7534841aa02f0e 
MD5: 3ee70d31d0a3b6fab562c51d8ff70e6d 
MD5: 3381d21f476dl23dcf3b5cbc27b22ael 
MD5: 006b32148ce6747fddb6d89e5725573e 
MD5: 7a4639488b4698fl31e42de56ceeb45d 
MD5: b9667e23bd400edcafde58b61ac05f96 
MD5: 12527fd41dd6bl72f8e28049011ebd05 
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MD5: C9baecbl22bb6d58f765aaca800724d2 
MD5: 799531e06e6aal9d569595d32dl6f7cc 
MD5: e301c2135724db49f4dd5210151e8ae9 


MD5: 29d7c73bd737d5bb48f272468a98d673 


In 2013, we can easily differentiate between the [9]botnet 
building type of [10]two-factor authentication by¬ 
passing mobile trojans, and the ubiquitous for the market 
segment, subscription based premium rate SMS malware, 

relying on deceptive advertising and successful 'visual 
social engineering' campaigns. The second, continue 
getting 

largely monetized through one of the primary growth factors 
of the mobile market segment, namely, [lljaffiliate 

networks for mobile malware. 

In this post. I'll profile what can be best described as a 
sophisticated, customer-ized, customization and effi¬ 
ciency oriented, API-supporting, DIY mobile "lab" for 
generating, managing and operating multi-mobile-operating 

systems type of mobile malware campaigns. The service's 
unique value proposition (UVP) in comparison to that of 

competing "labs" for managing, operating and converting 
mobile traffic - [12]acquisition and selling of [13]mobile 

traffic is a commoditized underground market item in 2013 
- orbits around the feature rich interface, offering 100 

% customization, monitoring and generally operating the 
campaigns, while efficiently earning fraudulently obtained 

revenue from unsuspecting mobile device users. 

Sample screenshots featuring the administration 
panel of an affiliate network participant: 
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Sample "system" domains used for hosting/rotating 
the generated mobile malware samples courtesy of 
the 

service: 


jmobi.net - 91.202.63.75 


omoby.net - 91.202.63.75 
rrmobi.net - 91.202.63.75 
moby-aa.ru - 91.202.63.75 
mobyc.net - 91.202.63.75 
mobi-files.com - 91.202.63.75 
mobyw.net - 91.202.63.75 
mobyy.net - 91.202.63.75 
mobyc.net - 91.202.63.75 
mobyz.net - 91.202.63.75 

Known to have responsed to the same IP are also 
the following malicious domains: 

doklamenol.ru 

doklameno2.ru 
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downloadakpinstall.ru 

mobiy.net 

moby-aa.ru 

moby-ae.ru 

mobyc.net 


mobyw.com 

mobyw.net 

mobyy.net 

mobyz.net 

omoby.net 

rrmobi.net 

system-update.ru 

telefontown.pp.ua 

Sample Web sites serving multi-mobile-operating- 
system premium rate mobile malware, relying on the 
ser¬ 
vice: 
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Samples generated and currently distributed in the 
wild using the service: 

[14]MD5: ac69514f9632539f9e8ad7b944556ed8 - 

detected by 15 out of 48 antivirus scanners as HEUR:Trojan- 


SMS.AndroidOS.Stealer.a 


[15]MD5: e62f97a095cal5747bb529ee9flb5057 

detected by 2 out of 45 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[16JMD5: 0688dac2754cce01183655bbbe50a0bl 

detected by 2 out of 46 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[17] MD5: 4062a77bda6adf6094f4ab209c71b801 

detected by 2 out of 44 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[18] MD5: 42a6cf362dbff4fdlb5aa9e82c5b7b56 - 

detected by 2 out of 45 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[igjMDS: 3bcbe78a2fa8c050ee52675d9ec931ad 

detected by 2 out of 46 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[20JMD5: 53d3d35cf896938e897de002db6ffc68 - 

detected by 2 out of 47 antivirus scanners as 
Java.SMSSend.780; 
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J2ME/TrojanSMS.Agent.DX 



[21]MD5: 2f66735b37738017385cc2fb56c21357 - 

detected by 2 out of 46 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[22JMD5:0ecllbba4a6a86eb5171ecad89d78d05 

detected by 2 out of 47 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[23JMD5: 9f059c973637fl05271d345a95787a5f - 

detected by 2 out of 45 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[24]MD5: fl79a067580014blel6900b90d90a872 

detected by 2 out of 47 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[25IMD5: aef4f659943cbc530e4elb601e75bl9e - 

detected by 2 out of 46 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[26JMD5: 8a00786ed6939a8ece2765d503c97ff8 - 

detected by 2 out of 45 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[27]MD5: 868fcf05827c092fal939930c2f50016 - 

detected by 2 out of 45 antivirus scanners as 



Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[28JMD5: a6ef49789845edla66f94fd7cc089elb - 

detected by 2 out of 47 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[2g]MD5: 22aa473772b2dfb0f019dac3b8749bb6 - 

detected by 2 out of 45 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[30JMD5: 52b74046d0cl23772566d591524b3bf7 - 

detected by 2 out of 46 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[31] MD5: bbff61a2e3555a6675bc77621bel9a73 - 

detected by 2 out of 46 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[32] Cybercrime-friendly affiliate networks continue, 
and will continue to represent a major driving factor be¬ 
hind the growth of any market segment within the 
cybercrime system, as they result in a win-win-lose scenario 
for 

their operations, participants and the potential victims of 
the fraudulent/malicious propositions/releases courtesy 



of these networks. With mobile traffic acquisition available 
on demand based on any given preference a potential 

could have, cybercriminals would continue converting it into 
victims, cashing in on their overall lack of awareness of 

the TTPs of today's modern cybercriminals. 
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A Peek Inside a Customer-ized API-enabled DIY 
Online Lab for Generating Multi-OS Mobile Malware 

(2013-11-12 02:57) 

The exponential growth of mobile malware over the last 
couple of years, can be attributed to a variety of 'growth fac¬ 
tors', the majority of which continue playing an inseparable 
role in the overall success and growth of the cybercrime 

ecosystem in general. 

Tactics like [Ijstandardization, efficiency-oriented 
monetization, systematic bypassing of industry 
accepted/massively adopted security measures like 
signatures-based antivirus scanning, [2]afFiliate networks 
helping cybercriminals 

secure revenue streams for their malicious/fraudulent 
tactics, techniques and procedures (TTPs), as well as pseudo 

legal distribution of deceptive software - think scaware with 
long EULAs and ToS-es - as well as mobile applications 

- think [3]subscription based premium rate SMS 
malware with long EULAs and ToS-es - continue 
dominating the 

arsenal of tactics that any cybercriminal aspiring the occupy 
a market share in any market segment within the 

cybercrime ecosystem, can easily take advantage of in 
2013. 

What has changed over the last couple of years, in terms of 
concepts? A lot. For instance, back in 2007, ap- 



proximately one year after I (publicly) anticipated the 
upcoming and inevitable [4]monetization of mobile 
malware, 

the Red Browser started making its rounds, proving that I 
was sadly wrong, and once again, money and greed - 

or plain simple profit maximization to others - would play a 
crucial role in this emerging back then, cybercrime 

ecosystem market segment for mobile malware. [5]Similar 
monetization attempts on behalf of cybercriminals, then 

followed, to further strengthen the ambitions of 
cybercriminals into this emerging market segment. 

With "[6]malicious economies of scale" just starting to 
materialize at the time, it didn't take long before the 
concept started getting embedded into virtually each and 
every cybercrime-friendly product/service advertised 

on the market. Thanks to [7]Symbian OS dominating the 
mobile operating system at the time, opportunistic 

cybercriminals quickly adapted to steal a piece of the pie, 
by releasing multiple [SjSymbian based malware 
variants. 

Sharing is caring, therefore, here are some MD5s from the 
Symbian malicious code that used to dominate the threat 

landscape, back then. 

Symbian OS malware MD5s from that period of time, 
for historical OSINT purposes: 

MD5:a4a70d9c3dbe955dd88ea6975dd909d8 



MD5: 98f7cfd42df4a01e2c4f2ed6d38clafl 


MD5: 6fd6b68ed3a83b2850fe293c6db8d78d 
MD5: 38837c60e2d87991c6c754f8a6fb5c2d 
MD5: ace9c6c91847b29aefa0a50d3b54bac5 
MD5: 3fl828f58d676d874a3473clcd01a431 
MD5: 2163ef88da9bd31f471087a55f49dlbl 
MD5: 0a04f6fed68dec7507d7bf246aa265eb 
MD5: ad4a9c68f631d257bd76490029227e41 
MD5: 7a4639488b4698fl31e42de56ceeb45d 
MD5: fa3de591d3a7353080b724a294dca394 
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MD5: 5ba5fad8923531784cd06aledc6e0001 
MD5: 66abbd9a965b2213f895e297f40552e5 
MD5: 92b069eflfd9a5d9c78a2d3682cl6b8f 
MD5: a494dallf47a853308bfdb3c0705f4el 
MD5: 9f38eff6c58667880dlff9feb9093dcb 
MD5: a8a3ac5f7639d82b24e9eb4f9ec5981c 
MD5: 0ebc8e9f5ec72a0ff73a73d81dc6807d 
MD5: a3cd8f8302a69e786425e51467ad5f7c 


MD5: 38837c60e2d87991c6c754f8a6fb5c2d 



MD5: 522a8efdc382b38e336d4735a73e6b23 


MD5: 052abb9b41f07192e8a02f0746e80280 
MD5: 712all84c5fcl811192cba5cc7feda51 
MD5: bdae8a51d4fl2762b823e42aa6c3fa0a 
MD5:aec4b95aa8d80ee9a57dllcbl6ce75ba 
MD5: 6b854f2171cca50f49dlace2d454065a 
MD5: 945279ce239d2370e4a65b4fl09b533b 
MD5:Cde433d371228fb7310849c03792479e 
MD5:957265e799246225e078a6d65bde5717 
MD5:Cde433d371228fb7310849c03792479e 
MD5: Ifl074b709736fe4504302cbc06fd0f6 
MD5: Icd241a5ea55eb25baf50af25629af27 
MD5: 60d9a75b5d3320635f9e33fe76b9b836 
MD5: e23f69eea5fa000f259e417b64210d42 
MD5: 36503b8a9e2c39508a50eb0bdbb66370 
MD5: Ifl074b709736fe4504302cbc06fd0f6 
MD5: dal3e08a8778fa4eald60e8bl26e27be 
MD5: 642495185b4b22d97869007fcbc0e00f 
MD5: 9af5d82f330bbc03f35436b3cc2fba3a 


MD5: 6099516a39abb73f9d7f99167157d957 



MD5: 6c75b3e9bf4625dclb754073a2d0c4fl 


MD5: e23f69eea5fa000f259e417b64210d42 
MD5: ffb37b431edlf0ac5764b57fa8d4cced 
MD5: Icd241a5ea55eb25baf50af25629af27 
MD5: b3055e852b47979a774575c09978981a 
MD5: 9f38eff6c58667880dlff9feb9093dcb 
MD5: 945279ce239d2370e4a65b4fl09b533b 
MD5:66a0bbebbel4939706093aa5831b53a7 
MD5: 30a2797f33ecb66524e01a63e49485dd 
MD5: 785e921ea686c2fc8514fac94dd8a9cd 
MD5: 69a68bdcbad227d5d8dla27dd9c30ce7 
MD5: f246bl01bc66fe36448d0987a36c3e0a 
MD5: 4fd086a236c2f3c70b7aa869fa73f762 
MD5: 642495185b4b22d97869007fcbc0e00f 
MD5: fd8b784df4bbb8082a7534841aa02f0e 
MD5: 3ee70d31d0a3b6fab562c51d8ff70e6d 
MD5: 3381d21f476dl23dcf3b5cbc27b22ael 
MD5: 006b32148ce6747fddb6d89e5725573e 
MD5: 7a4639488b4698fl31e42de56ceeb45d 


MD5: b9667e23bd400edcafde58b61ac05f96 



MD5: 12527fd41dd6bl72f8e28049011ebd05 
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MD5: C9baecbl22bb6d58f765aaca800724d2 
MD5: 799531e06e6aal9d569595d32dl6f7cc 
MD5: e301c2135724db49f4dd5210151e8ae9 
MD5: 29d7c73bd737d5bb48f272468a98d673 

In 2013, we can easily differentiate between the [9]botnet 
building type of [10]two-factor authentication by¬ 
passing nnobile trojans, and the ubiquitous for the market 
segment, subscription based premium rate SMS malware, 

relying on deceptive advertising and successful 'visual 
social engineering' campaigns. The second, continue 
getting 

largely monetized through one of the primary growth factors 
of the mobile market segment, namely, [lljaffiliate 

networks for mobile malware. 

In this post. I'll profile what can be best described as a 
sophisticated, customer-ized, customization and effi¬ 
ciency oriented, API-supporting, DIY mobile "lab" for 
generating, managing and operating multi-mobile-operating 

systems type of mobile malware campaigns. The service's 
unique value proposition (UVP) in comparison to that of 


competing "labs" for managing, operating and converting 
mobile traffic - [12]acquisition and selling of [13]mobile 
traffic is a commoditized underground market item in 2013 
- orbits around the feature rich interface, offering 100 

% customization, monitoring and generally operating the 
campaigns, while efficiently earning fraudulently obtained 

revenue from unsuspecting mobile device users. 

Sample screenshots featuring the administration 
panel of an affiliate network participant: 
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Sample "system" domains used for hosting/rotating 
the generated mobile malware samples courtesy of 
the 

service: 

jmobi.net - 91.202.63.75 
omoby.net - 91.202.63.75 
rrmobi.net - 91.202.63.75 
moby-aa.ru - 91.202.63.75 
mobyc.net - 91.202.63.75 
mobi-files.com - 91.202.63.75 
mobyw.net - 91.202.63.75 
mobyy.net - 91.202.63.75 
mobyc.net - 91.202.63.75 
mobyz.net - 91.202.63.75 

Known to have responsed to the same IP are also 
the following malicious domains: 


doklamenol.ru 


doklameno2.ru 
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downloadakpinstall.ru 

mobiy.net 

moby-aa.ru 

moby-ae.ru 

mobyc.net 

mobyw.com 

mobyw.net 

mobyy.net 

mobyz.net 

omoby.net 

rrmobi.net 

system-update.ru 

telefontown.pp.ua 

Sample Web sites serving multi-mobile-operating- 
system premium rate mobile malware, relying on the 
ser¬ 
vice: 


775 


776 




Samples generated and currently distributed in the 
wild using the service: 

[14] MD5: ac69514f9632539f9e8ad7b944556ed8 - 

detected by 15 out of 48 antivirus scanners as HEUR:Trojan- 

SMS.AndroidOS.Stealer.a 

[15] MD5: e62f97a095cal5747bb529ee9flb5057 - 

detected by 2 out of 45 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[16JMD5: 0688dac2754cce01183655bbbe50a0bl - 

detected by 2 out of 46 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[17JMD5: 4062a77bda6adf6094f4ab209c71b801 - 

detected by 2 out of 44 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[18JMD5: 42a6cf362dbff4fdlb5aa9e82c5b7b56 - 

detected by 2 out of 45 antivirus scanners as 
Java.SMSSend.780; 


J2ME/TrojanSMS.Agent.DX 


[ig]MD5: 3bcbe78a2fa8c050ee52675d9ec931ad - 

detected by 2 out of 46 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[20JMD5: 53d3d35cf896938e897de002db6ffc68 - 

detected by 2 out of 47 antivirus scanners as 
Java.SMSSend.780; 

111 

J2ME/TrojanSMS.Agent.DX 

[21]MD5: 2f66735b37738017385cc2fb56c21357 - 

detected by 2 out of 46 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[22IMD5:0ecllbba4a6a86eb5171ecad89d78d05 

detected by 2 out of 47 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[23JMD5: 9f059c973637fl05271d345a95787a5f - 

detected by 2 out of 45 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[24]MD5: fl79a067580014blel6900b90d90a872 

detected by 2 out of 47 antivirus scanners as 
Java.SMSSend.780; 


J2ME/TrojanSMS.Agent.DX 



[25]MD5: aef4f659943cbc530e4elb601e75bl9e - 

detected by 2 out of 46 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[26JMD5: 8a00786ed6939a8ece2765d503c97ff8 - 

detected by 2 out of 45 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[27] MD5: 868fcf05827c092fal939930c2f50016 - 

detected by 2 out of 45 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[28] MD5: a6ef49789845edla66f94fd7cc089elb - 

detected by 2 out of 47 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[2g]MD5: 22aa473772b2dfb0f019dac3b8749bb6 - 

detected by 2 out of 45 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[30JMD5: 52b74046d0cl23772566d591524b3bf7 - 

detected by 2 out of 46 antivirus scanners as 
Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[31]MD5: bbff61a2e3555a6675bc77621bel9a73 - 

detected by 2 out of 46 antivirus scanners as 



Java.SMSSend.780; 

J2ME/TrojanSMS.Agent.DX 

[32]Cybercrime-friendly affiliate networks continue, 
and will continue to represent a nnajor driving factor be¬ 
hind the growth of any market segment within the 
cybercrime system, as they result in a win-win-lose scenario 
for 

their operations, participants and the potential victims of 
the fraudulent/malicious propositions/releases courtesy of 

these networks. 

With mobile traffic acquisition available on demand based 
on any given preference a potential could have, cy¬ 
bercriminals would continue converting it into victims, 
cashing in on their overall lack of awareness of the TTPs of 

today's modern cybercriminals. 

Updates will be posted as soon as new developments take 
place. 
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New Commercially Available Modular Malware 
Platform Released On the Underground Marketplace 

(2013-11-13 00:15) 

Cybercriminals have recently released a new (v3 to be more 
precise indicating possible beneath the radar operation 

until now), commercially available, modular malware 
platform, including such cybercrime-friendly features like 

DNS Changer, Loaders, [IJInjects, and [2]Ransomware 
features - completely blocking the Internet access of [3]the 
affected user in this particular case - with several 
upcoming modules such as stealth VNC, and Remote IE (a 
feature which would allow them to completely hijack any 
sort of encrypted session taking place on the affected host, 

naturally including the cookies). 

Sample screenshots of the command and control 
interface+DNS Changer in action: 
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With prices for the standard package starting from $1,500, I 
expect that the malware hot will quickly gain market 

share thanks to its compatibility with existing/working 
crimeware concepts/releases, as well as thanks to the 
general 

availability of 24/7/365 [4]managed malware crypting 
services, applying the necessary degree of QA (Quality 

Assurance) to a potential campaign before launching it. 
Moreover, yet another factor that would greatly contribute 

to the success of such type of newly released platforms is 
the the ease of acquisition of legitimate traffic - think 

[5]blackhat SEO, [6]compromised FTP accounts, or 
[7]mass SQL injection campaigns - to be later on 
converted into malware-infected hosts, most commonly 
through social engineering, or the client-side exploitation of 
outdated and 

already patched vulnerabilities in browser plugins/third- 
party applications. 

Furthermore, with or without the full scale modularity in 
place - some of the modules are currently in the 

works, as well as the lack of built-in renting/reselling/traffic 
acquisition/affiliate network type of monetization 

elements, typical for what can be best described as platform 
type of underground market release compared to a 


standalone modular malware bot, the bot's worth keeping 
an eye on. 


The DNS Changer IP seen in the screenshot 62.76.176.214 
( 62-76-176-214.clodo.ru), can also be connected to 

related malicious activity. For instance, [8]MD5: 
cef012fb4fa7cd55f04558ecee04cd4e is known to have 
previously 

phoned back to 62.76.176.214. 

And most interestingly, [9]according to this 
assessment, next to phoning back to 62.76.176.214, the 
following 

malicious domains are also known to have been used as C 
&Cs by the same sample: 

6r3u8874dfd9.com - known to have responded to 
31.170.179.179 

r55u87799hd39.com - known to have responded to 
31.170.179.179 

r95u8114dfd9.com 

The following malicious MD5s are also known to 
have phoned back to the same C &C IP 
(31.170.179.179) 

since the beginning of the month: 

MD5: 56f05611ec91f010d015536b7e9fela5 
781 

MD5: 49aeaa9fad5649d20a9c56e611e81d96 



MD5: bf4fal38741ec4af0a0734b28142f7ae 

MD5: Cd92df2172a40ebb507fa701dcbl4fea 

MD5:Id51cdelab7ald3d725e507089d3ba5e 

MD5: a00695df0a50b3d3ffeb3454534d97a8 

MD5:ea8340c95589ca522dacle04839a9ab9 

MD5: f2933ca59e8453a2b50f6d38a9ad9709 

MD5: dd9c4ba82de8dcf0f3e440b302e223e8 

MD5: d92ad37168605579319c3dff4d6e8c26 

MD5: 004bf3f6b7f49d5c650642dde3255bl6 

MD5: deb8bcd6c7987ee4e0a95273e76feccd 

MD5: 1791cb3e3da28aecll416978f415dcd3 

MD5: 7eae6322c9dcaa0fl2a99f2c52b70224 

MD5: 0027511d25a820bcdc7565257fd61ba4 

MD5: 294edcdaab9ce21cb453dc40642fl561 

MD5: b414d9f54a723e8599593503fe0de4fl 

MD5: 20ee0617e7dc03c571ce7d5c2ee6a0a0 

MD5: el059ae3fb9c62cf3272eb6449de23cf 

This post has been reproduced from [lOJDancho 
Danchev's biog . Follow him [11]on Twitter. 
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New Commercially Available Modular Malware 
Platform Released On the Underground Marketplace 

(2013-11-13 00:15) 

Cybercriminals have recently released a new (v3 to be nnore 
precise indicating possible beneath the radar operation 

until now), commercially available, modular malware 
platform, including such cybercrime-friendly features like 

DNS Changer, Loaders, [IJInjects, and [2]Ransomware 
features - completely blocking the Internet access of [3]the 
affected user in this particular case - with several 
upcoming modules such as stealth VNC, and Remote IE (a 
feature which would allow them to completely hijack any 
sort of encrypted session taking place on the affected host, 

naturally including the cookies). 

Sample screenshots of the command and control 
interface+DNS Changer in action: 
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With prices for the standard package starting from $1,500, I 
expect that the malware bot will quickly gain market 

share thanks to its compatibility with existing/working 
crimeware concepts/releases, as well as thanks to the 
general 

availability of 24/7/365 [4]managed malware crypting 
services, applying the necessary degree of QA (Quality 


Assurance) to a potential campaign before launching it. 
Moreover, yet another factor that would greatly contribute 

to the success of such type of newly released platforms is 
the the ease of acquisition of legitimate traffic - think 

[5]blackhat SEO, [6]compromised FTP accounts, or 
[7]mass SQL injection campaigns - to be later on 
converted into malware-infected hosts, most commonly 
through social engineering, or the client-side exploitation of 
outdated and 

already patched vulnerabilities in browser plugins/third- 
party applications. 

Furthermore, with or without the full scale modularity in 
place - some of the modules are currently in the 

works, as well as the lack of built-in renting/reselling/traffic 
acquisition/affiliate network type of monetization 

elements, typical for what can be best described as platform 
type of underground market release compared to a 

standalone modular malware bot, the bot's worth keeping 
an eye on. 

The DNS Changer IP seen in the screenshot 62.76.176.214 
( 62-76-176-214.clodo.ru), can also be connected to 

related malicious activity. For instance, [8]MD5: 
cef012fb4fa7cd55f04558ecee04cd4e is known to have 
previously 

phoned back to 62.76.176.214. 



And most interestingly, [9]according to this 
assessment, next to phoning back to 62.76.176.214, the 
following 

malicious domains are also known to have been used as C 
&Cs by the same sample: 

6r3u8874dfd9.com - known to have responded to 
31.170.179.179 

r55u87799hd39.com - known to have responded to 
31.170.179.179 

r95u8114dfd9.com 

The following malicious MD5s are also known to 
have phoned back to the same C &C IP 
(31.170.179.179) 

since the beginning of the month: 

MD5: 56f05611ec91f010d015536b7e9fela5 
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MD5: 49aeaa9fad5649d20a9c56e611e81d96 
MD5: bf4fal38741ec4af0a0734b28142f7ae 
MD5: Cd92df2172a40ebb507fa701dcbl4fea 
MD5:Id51cdelab7ald3d725e507089d3ba5e 
MD5: a00695df0a50b3d3ffeb3454534d97a8 
MD5:ea8340c95589ca522dacle04839a9ab9 
MD5: f2933ca59e8453a2b50f6d38a9ad9709 



MD5: dd9c4ba82de8dcf0f3e440b302e223e8 

MD5: d92ad37168605579319c3dff4d6e8c26 

MD5: 004bf3f6b7f49d5c650642dde3255bl6 

MD5: deb8bcd6c7987ee4e0a95273e76feccd 

MD5: 1791cb3e3da28aecll416978f415dcd3 

MD5: 7eae6322c9dcaa0fl2a99f2c52b70224 

MD5: 0027511d25a820bcdc7565257fd61ba4 

MD5: 294edcdaab9ce21cb453dc40642fl561 

MD5: b414d9f54a723e8599593503fe0de4fl 

MD5: 20ee0617e7dc03c571ce7d5c2ee6a0a0 

MD5: el059ae3fb9c62cf3272eb6449de23cf 

Updates will be posted as soon as new developments take 
place. 
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Fake Chrome/Firefox/Internet Explorer/Safari 
Updates Expose Users to Android Malware (2013-11- 
14 16:38) 

A currently ongoing [IJmalicious campaign using 
compromised sites as the primary traffic acquisition 
tactic, is 

attempting to socially engineer users (English and Russian 
speaking) into thinking that they're using an outdated 

version of their browser, and need to apply a bogus 
(security/antivirus) update. In reality though, the update is 
a 





















variant of Trojan:Android/Fakeinst.EQ/Android.SmsSend. 

Sample screenshots of the fake browser update 
landing pages: 

786 

787 

Social 

engineering 

redirection 

chain: 

hxxp.V/france-leasebacks. com/includes/domit/l.php 
-> 

hxxp.V/advertcliks. net/ir/28/1405/56e9ca1335c2773445a 79 
d5ddf75a755/tl 

(93.115.82.239; 

Email: 

maxax- 

aha(g)gmail.com) -> hxxp://newupdateronline.org 
(109.163.230.182; Email: vbistrih@yandex.com). 


Known to have responded to 109.163.230.182 are 
also the following domains: 

ImcS.asia 

anglecultivatep.in 

appallinglyndiscoveries.in 

bilious-6biros.in 

788 

boathire.pw 

cvwv87.pro 

disdcncnewl.pw 

efuv77.pro 

fami lye-perspex.in 

farting-meagre.in 

flvupdate.in 

fringeclamberedk.in 

hopefully-great8.in 

investment-growsa.asia 

money-tree.pw 

moon-media.pw 

moontree.pw 



mountainlake.pw 

movingv-relation.in 

new-updateronline.org 

Sample Android samples pushed by the campaign: 

[2] MD5: 

da7fffa08bdeb945ca8237c2894aedd0 - detected by 11 
out of 46 antivirus scanners as An¬ 
droid.SmsSend.809.origin; Android.Trojan.Fakelnst.HE 

[3] MD5: Ielf57f6c8c9fb39da8965275548174f - 

detected by 17 out of 46 antivirus scanners as HEUR:Trojan- 

SMS.AndroidOS.Fakelnst.fe; Andr/RuSms-AL 

[4] MD5: b0f597636859b7f5b2cl574d7a8bbbbb - 

detected by 13 out of 47 antivirus scanners as HEUR:Trojan- 

SMS.AndroidOS.Fakelnst.fe; Andr/RuSms-AL 

[5] MD5: b40aebc327elbc6aabe5ccb4fl8e8ea4 - 

detected by 16 out of 48 antivirus scanners as 
Android:Fakelns-AF; 

Trojan: And roid/Fakeinst.EQ 

All samples phone back to dlsdcncnew.net 
(109.163.230.182; Email: constantin.zawyalov@yandex.ru). 

Re¬ 
sponding to the same IP is also newapk-f1v.org. 



The same email is also known to have been 
previously used to register the following domains: 

downloaderSdays.in 

open-filedownload4.in (known to have responded to 
188.95.159.30) 

upweight.in 

bestnewbrowsers.in 

bestowedcomedyb.org (known to have responded to 
109.163.230.180) 

expandload.in 

2012 internet-load, in 

4interfilefolder.in 

99030.in 

admitted-6crept.org 

rufileserver.in 

It appears that the traffic is not segmented - to [6]affect 
mobile device users only - at any point of the redi¬ 
rection chain, an indication of what I believe is a boutique 
cybercrime-friendly operation. In comparison, the 

relatively more sophisticated ones would segment the 
traffic, usually acquired through the [7]active 
exploitation of 



tens of thousands of legitimate Web sites, or the 

direct purchase of segmented mobile traffic. 

Interestingly, both novice players in this market segment, 
and the experienced ones, are implementing basic 

evasive tactics, such as, for instance, the need to provide a 
valid mobile number, where a potential victim will receive 
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a confirmation code for accessing the inventory of rogue 
games and applications, thereby preventing automatic 
acquisition of the apps for further analysis. Moreover, 
providing a valid mobile number to the cybercriminals 
behind 

the campaign, is naturally prone to be abused in ways 
largely based on the preferences of those who obtained 
them 

through such a way, therefore users are advised not to treat 
their mobile number in a privacy conscious way. 

This post has been reproduced from [8]Dancho 
Danchev's biog . Follow him [9Jon Twitter 

1. httD://ddanchev.blo as Dot.com/2013/09/ro a ue-iframe- 
ini ected-web-sites-lead-to.html 
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malware-spreads-throu a h-comoromised-le a iti mate-web- 
sites/ 

7. htto://ddanchev.blo as oot.com/2013/09/ro a ue-iframe- 
ini ected-web-sites-lead-to.html 

8. htto://ddanchev.blo as oot.com/ 

9. htto://twitter.com/danchodanchev 
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Fake Chrome/Firefox/Internet Explorer/Safari 
Updates Expose Users to Android Malware (2013-11- 
14 16:38) 























A currently ongoing [IJmalicious campaign using 
compromised sites as the primary traffic acquisition 
tactic, is 

attempting to socially engineer users (English and Russian 
speaking) into thinking that they're using an outdated 

version of their browser, and need to apply a bogus 
(security/antivirus) update. In reality though, the update is 
a 

variant of Trojan:Android/Fakeinst.EQ/Android.SmsSend. 

Sample screenshots of the fake browser update 
landing pages: 

791 


792 


Social 

engineering 

redirection 

chain: 

hxxp.V/france-leasebacks. com/includes/domit/l.php 


hxxp://a dvertcliks. net/ir/28/1405/56e9ca1335c2773445a 79 
d5ddf75a755/tl 

(93.115.82.239; 

Email: 

maxax- 

aha(g)gmail.com) -> hxxp://newupdateronline.org 
(109.163.230.182; Email: vbistrih@yandex.com). 

Known to have responded to 109.163.230.182 are 
also the following domains: 

ImcS.asia 

anglecultivatep.in 

appallinglyndiscoveries.in 

bilious-Gbiros.in 

793 

boathire.pw 

cvwv87.pro 

disdcncnewl.pw 

efuv77.pro 

familye-perspex.in 

farting-meagre.in 

flvupdate.in 



fringeclamberedk.in 

hopefully-greatS.in 

investment-growsa.asia 

money-tree, pw 

moon-media.pw 

moontree.pw 

mountainlake.pw 

movingv-relation.in 

new-updateronline.org 

Sample Android samples pushed by the campaign: 

[2] MD5: 

da7fffa08bdeb945ca8237c2894aedd0 - detected by 11 
out of 46 antivirus scanners as An¬ 
droid.SmsSend.809.origin; Android.Trojan.Fakelnst.HE 

[3] MD5: Ielf57f6c8c9fb39da8965275548174f - 

detected by 17 out of 46 antivirus scanners as HEUR:Trojan- 

SMS.AndroidOS.Fakelnst.fe; Andr/RuSms-AL 

[4] MD5: b0f597636859b7f5b2cl574d7a8bbbbb - 

detected by 13 out of 47 antivirus scanners as HEUR:Trojan- 

SMS.AndroidOS.Fakelnst.fe; Andr/RuSms-AL 



[5]MD5: b40aebc327elbc6aabe5ccb4fl8e8ea4 - 

detected by 16 out of 48 antivirus scanners as 
Android:Fakelns-AF; 

Trojan: And roid/Fakeinst.EQ 

All samples phone back to dlsdcncnew.net 
(109.163.230.182; Email: Constantin.zawyalov(a)yandex.ru). 

Re¬ 
sponding to the same IP is also newapk-flv.org. 

The same email is also known to have been 
previously used to register the following domains: 

downloader8days.in 

open-filedownload4.in (known to have responded to 
188.95.159.30) 

upweight.in 

bestnewbrowsers.in 

bestowedcomedyb.org (known to have responded to 
109.163.230.180) 

expandload.in 

2012 internet-load, in 

4interfilefolder.in 

99030.in 

admitted-6crept.org 



rufileserver.in 


It appears that the traffic is not segmented - to [6]affect 
mobile device users only - at any point of the redi¬ 
rection chain, an indication of what I believe is a boutique 
cybercrime-friendly operation. In comparison, the 

relatively more sophisticated ones would segment the 
traffic, usually acquired through the [7]active 
exploitation of 

tens of thousands of legitimate Web sites, or the 

direct purchase of segmented mobile traffic. 

Interestingly, both novice players in this market segment, 
and the experienced ones, are implementing basic 

evasive tactics, such as, for instance, the need to provide a 
valid mobile number, where a potential victim will receive 

794 

a confirmation code for accessing the inventory of rogue 
games and applications, thereby preventing automatic 
acquisition of the apps for further analysis. 

Moreover, providing a valid mobile number to the 
cybercriminals behind the campaign, is naturally prone to 

be abused in ways largely based on the preferences of those 
who obtained them through such a way, therefore users 

are advised not to treat their mobile number in a privacy 
conscious way. 

Updates will be posted as soon as new developments take 
place. 
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Summarizing Webroot's Threat Blog Posts for 
November (2013-12-03 23:38) 

The following is a brief summary of all of my posts at 
[IJWebroot's Threat Blog for November, 2013. You can 

subscribe to [2]Webroot's Threat Blog RSS Feed, or 

follow me on Twitter: 

01. [3]Google-dorks based mass Web site hacking/SQL 
injecting tool helps facilitate malicious online activity 

02. [4]Deceptive ads lead to the SpyAlertApp PUA 
(Potentially Unwanted Application) 


03. 

[5]Cybercriminals differentiate their 'access to compromised 
PCs' service proposition, emphasize on the 

prevalence of 'female bot slaves' 

04. [6]New vendor of 'professional DDoS for hire service' 
spotted in the wild 

05. [7]Source code for proprietary spam bot offered for sale, 
acts as force multiplier for cybercrime-friendly activity 06. 
[8]Low Quality Assurance (QA) iframe campaign linked to 
May's Indian government Web site compromise spotted 


in the wild 


07. [9]Popular French torrent portal tricks users into 
installing the BubbleDock/Downware/DownloadWare PUA 

(Potentially Unwanted Application) 
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08. [10]Web site of Brazilian 'Prefeitura Municipal de 
Jaqueira' compromised, leads to fake Adobe Flash player 09. 

[11] Malicious multi-hop iframe campaign affects thousands 
of Web sites, leads to a cocktail of client-side exploits 10. 

[12] Vendor of TDoS products/services releases new multi¬ 
threaded SIP-based TDoS tool 

11. [13]Cybercriminals spamvertise tens of thousands of 
fake 'Sent from my iPhone' themed emails, expose users to 

malware 

12. [14]Fake 'Annual Form (STD-261) - Authorization to Use 
Privately Owned Vehicle on State Business' themed 

emails lead to malware 

13. [15]'Newly released proxy-supporting Origin brute¬ 
forcing tools targets users with weak passwords' 

14. [16]Fake WhatsApp 'Voice Message Notification' themed 
emails expose users to malware 

15. [17]Cybercriminals impersonate HSBC through fake 
'payment e-Advice' themed emails, expose users to malware 

16. [18]Fake 'MMS Gallery' notifications impersonate T- 
Mobile U.K, expose users to malware 

17. [19]Fake 'October's Billing Address Code' (BAC) form 
themed spam campaign leads to malware 
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Facebook Circulating 'Who's Viewed Your Profile' 
Campaign Exposes 800k+ Users to CrossRider 

PUA/Rogue Firefox Add-ons/Android Adware AirPush 
(2013-12-04 02:25) 

A massive privacy-violating, Facebook circulating "Who's 
Viewed Your Profile" campaign, has been operating beneath 
the radar, exposing over 800,000 users internationally, to a 
cocktail of [l]PUAs (Potentially Unwanted 
Applications), rogue Firefox Add-ons impersonating 
Adobe's Flash Player, as well as the Android based adware 
AirPush. 

Relying on a proven social engineering tactic of "offering 
what's not being offered in general", next to hosting the 
rogue files on legitimate service providers - Google Docs 
and Dropbox in this particular case - the campaign is a 




















great example that the ubiquitous for the social network 
social engineering scheme, continues to trick gullible and 

uninformed users into installing privacy-violating 
applications on their hosts/mobile devices. 

Let's dissect the campaign, expose its infrastructure, 
(conservatively) assess the damage, and provide fresh 

MD5s for the currently served privacy-violating PUAs, Firefox 
add-ons, and Android adware. 

Primary spamvertised Facebook URL: FCOSYUC.tk/? 
15796422 

Redirection 

chain: 

p2r0f3rvie wer9890. co. nf 
-> 

bit ly/1 bZCeNvTvsdvc 
-> 

whOprof uni. me/Tsdvsjka 
-> 

whOprof uni. me/ch/ 

Rogue 

Google 


Store 



Extension 


URL 

(currently 

offline): 

hxxps://chrome. google, com/webstore/detai- 
l/dllaajjfgpigkeblmlba m flggfjk gbej 

Campaign's GA Account ID: UA-12798017-1 
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Domain name reconnaissance: 

whOprof.uni.me - 192.157.201.42 

Known to have responded to the same IP are also 
the following domains: 

cracks4free. info 

pr0lotra.p9.org 

Google Docs Hosted PUA URLs: 

hxxps://docs.google. com/uc?authuser=0 &id=0BziH- 
mKCuQwqVFIJUDBnTjFHdVE &export=download 

hxxps://docs. google. com/uc?a uthuser= 0 &ld=OBzIH- 
mKCuQwqRXBMLWZ4cVZJV2s &export=download 

hxxps://docs. google. com/uc?a uthuser= 0 &ld=OBzIH- 
mKCuQwqUjllLWc4MVFRQUk &export=download 


hxxps://docs.google. com/uc?authuser=0 &id=OBziH- 
mKCuQwqOXlyNko0VFBOdnM &export= download 

hxxps://docs.google. com/uc?authuser=0 &ld=OBzlH- 
mKCuOwqZmSyeUFudFhqclU &export=download 

hxxps://docs. google. com/uc?a uthuser= 0 &ld=OBzIH- 
mKCuQwqbWpfNWBFalJmRGM &export=download 

hxxps://docs. google. com/uc?a uthuser= 0 &ld=OBzIH- 
mKCuQwqSSVlZkZBOJJGbJO &export=download 

hxxps://docs. google. com/uc?a uthuser=0 &ld=OBzIH- 
mKCuQwqX2xXbEJLbEY0Q3M &export=download 

hxxps://docs. google. com/uc?a uthuser=0 &ld=OBzIH- 
mKCuQwqMUSRVkJS WURxMEO &export=do wnload 

hxxps://docs. google. com/uc?a uthuser= 0 &ld=OBzIH- 
mKCuQwqVFIJUDBnTjFFIdVE &export=download 

Dropbox Firefox Add-on/Android APK Hosted URLs: 

hxxps://dl. dropboxusercontent. com/s/so3vm50w298qkto/W 
hoVlewsYourProfll e.apk 

hxxps://dl. dropboxusercontent. com/s/kor9c2mqv49esva/kka 
dobe-ff.xpl 
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Detection rate for the served PUAs, the Android 
adware and the rogue Firefox Add-on: 


[2]MD5: 


C7fcf7078597ea752b8d54e406c266a7 - detected by 5 
out of 48 antivirus scanners as 

PUP.Optional.CrossRider 

[3] MD5: 30cf98d7dc97cae57f8d72487966d20b - 

detected by 6 out of 48 antivirus scanners as 
Trojan.Dropper.FB 

[4] MD5: 

f2459b6bdeld662399a3df725bf8891b - detected by 13 
out of 48 antivirus scanners as Ad- 

ware/AirPush!Android; Android Airpush; 
Adware/ANDR.Airpush.G.Gen 

[5] MD5: 

3fb95eled77dlb545cf7385b4521b9ae - detected by 18 
out of 48 antivirus scanners as 

JS/TrojanClicker.Agent.NDL 

Once executed MD5: 

30cf98d7dc97cae57f8d72487966d20b phones back to 
195.167.11.4. 

Time to (conservatively) assess the campaign's damage 
over the year(s): 
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The click-through rate should be considered conservative, 
and it rennains unknown whether the URL shortening 

service was used by the cybercriminal(s) since day one of 
the cannpaign. 
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The campaign remains active, and is just the tip of the 
iceberg in terms of similar campaigns tricking Facebook's 

users into thinking that they can eventually see who's 
viewed their profile. Facebook users who stumble across 
such 

campaigns on their own, or their friends' Walls, are advised 

[6]to consider reporting the campaign back to 
Facebook, immediately. 

This post has been reproduced from [7]Dancho 
Danchev's biog - Follow him [8]on Twitter 

1. httD://www.webroot.com/blo a /ta a/ Dua/ 

2 . 

httDs://www. virustotal.com/en/file/ecd6bb6e53477496ea45 

de362Q12b4bld458ee966867eb89ea4QQ5c5bd9fe8b3/anal 

ys 


is/1385988722/ 







3. 

httDs://www. virustotal.com/en/file/b44aabb0e235d36377f3c 

d55ec4af596a89c0a7814103369d3f48d54d29ffcc7/anal vs 

is/1385988808/ 

4. 

httos://www. virustotal.com/en/file/72f3834e9c8eel64b7e82 

383415da822579ffb23fbfa7f55ac650a22b2386ee0/anal vs 

is/1386108420/ 
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5. 

httos://www. virustotal.com/en/file/3b25b67592b9b06fca05 

ab61abdl6559e7c94f9ac3c225e5ae00ddc5318923c6/anal 

ys 

is/1386109278/ 

6. httos://www.facebook.com/helo/www/l 17257561692875 

7. htto://ddanchev.blo as oot.com/ 

8. htto://twitter.com/danchodanchev 
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Facebook Circulating 'Who's Viewed Your Profile' 
Campaign Exposes 800k+ Users to CrossRider 

PUA/Rogue Firefox Add-ons/Android Adware AirPush 
(2013-12-04 02:25) 
















A massive privacy-violating, Facebook circulating "Who's 
Viewed Your Profile" campaign, has been operating beneath 
the radar, exposing over 800,000 users internationally, to a 
cocktail of [l]PUAs (Potentially Unwanted 
Applications), rogue Firefox Add-ons impersonating 
Adobe's Flash Player, as well as the Android based adware 
AirPush. 

Relying on a proven social engineering tactic of "offering 
what's not being offered in general", next to hosting the 
rogue files on legitimate service providers - Google Docs 
and Dropbox in this particular case - the campaign is a 

great example that the ubiquitous for the social network 
social engineering scheme, continues to trick gullible and 

uninformed users into installing privacy-violating 
applications on their hosts/mobile devices. 

Let's dissect the campaign, expose its infrastructure, 
(conservatively) assess the damage, and provide fresh 

MD5s for the currently served privacy-violating PUAs, Firefox 
add-ons, and Android adware. 

Primary spamvertised Facebook URL: FCOSYUC.tk/? 
15796422 

Redirection 

chain: 

p2r0f3rvie wer9890. co. nf 
-> 


bit. ly/1 bZCeNv?vsdvc 



whOprof uni. me/?sdvsjka 
-> 

whOprof uni. me/ch/ 

Rogue 

Google 

Store 

Extension 

URL 

(currently 

offline): 

hxxps://chrome. googie. conn/webstore/detai- 
i/diiaajjfgpigkebimibamflggfjk gbej 

Campaign's GA Account ID: UA-12798017-1 
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Domain name reconnaissance: 

whOprof.uni.me - 192.157.201.42 

Known to have responded to the same IP are also 
the following domains: 


era cks4 free, in fo 


pr0lotra.p9.org 

Google Docs Hosted PUA URLs: 

hxxps://docs.google. com/uc?authuser=0 &id=OBziH- 
mKCuQwqVFIJUDBnTJFHdVE &export=download 

hxxps://docs.google. com/uc?authuser=0 &id=OBziH- 
mKCu0wqRXBMLWZ4cVZJV2s &export=download 

hxxps://docs.google. com/uc?authuser=0 &id=OBziH- 
mKCuQwqUjllLWc4MVFRQUk &export=download 

hxxps://docs. google. com/uc?a uthuser= 0 &ld=OBzIH- 
mKCuQwqOXlyNkoOVFBOdnM &export=download 

hxxps://docs. google. com/uc?a uthuser= 0 &ld=OBzIH- 
mKCuQwqZmSyeUFudFhqclU &export=download 

hxxps://docs.google. com/uc?authuser= 0 &id=OBzIH- 
mKCuQwqbWpfNW5FalJmRGM &export=download 

hxxps://docs.google. com/uc?authuser= 0 &id=OBzIH- 
mKCuQwqSBVlZkZBOjJGbJO &export=download 

hxxps://docs. google. com/uc?a uthuser= 0 &ld=OBziH- 
mKCu0wqX2xXbEJLbEY003M &export=download 

hxxps://docs.google. com/uc?authuser=0 &ld=OBziH- 
mKCuQ wqMU5R VkJS WURxMEO &export=do wnloa d 

hxxps://docs.google. com/uc?authuser=0 &ld=OBziH- 
mKCuQwqVFIJUDBnTJFFIdVE &export=download 

Dropbox Firefox Add-on/Android APK Hosted URLs: 



hxxps://dl. dropboxusercontent. com/s/so3vm50w298qkto/W 
hoViewsYourProfil e.apk 

hxxps://dl. dropboxusercontent. com/s/kor9c2mqv49esva/kka 
dobe-ff.xpi 
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Detection rate for the served PUAs, the Android 
adware and the rogue Firefox Add-on: 

[2] MD5: 

C7fcf7078597ea752b8d54e406c266a7 - detected by 5 
out of 48 antivirus scanners as 

PUP.Optional.CrossRider 

[3] MD5: 30cf98d7dc97cae57f8d72487966d20b - 

detected by 6 out of 48 antivirus scanners as 
Trojan.Dropper.FB 

[4] MD5: 

f2459b6bdeld662399a3df725bf8891b - detected by 13 
out of 48 antivirus scanners as Ad- 

ware/AirPush!Android; Android Airpush; 
Adware/ANDR.Airpush.G.Gen 

[5] MD5: 

3fb95eled77dlb545cf7385b4521b9ae - detected by 18 
out of 48 antivirus scanners as 


JS/TrojanClicker.Agent.NDL 


Once executed MD5: 

30cf98d7dc97cae57f8d72487966d20b phones back to 
195.167.11.4. 

Time to (conservatively) assess the campaign's damage 
over the year(s): 
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The click-through rate should be considered conservative, 
and it remains unknown whether the URL shortening 

service was used by the cybercriminal(s) since day one of 
the campaign. 
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The campaign remains active, and is just the tip of the 
iceberg in terms of similar campaigns tricking Facebook's 

users into thinking that they can eventually see who's 
viewed their profile. Facebook users who stumble across 
such 

campaigns on their own, or their friends' Walls, are advised 

[6]to consider reporting the campaign back to 


Facebook, immediately. 

1. httD://www.webroot.com/blo a /ta a/ Dua/ 


2 . 

httDs://www. virustotal.com/en/file/ecd6bb6e53477496ea45 

de362012b4bld458ee966867eb89ea4005c5bd9fe8b3/anal 

ys 

is/1385988722/ 

3. 

httos://www. virustotal.com/en/file/b44aabb0e235d36377f3c 

d55ec4af596a89c0a7814103369d3f48d54d29ffcc7/anal vs 

is/1385988808/ 

4. 

httos://www. virustotal.com/en/file/72f3834e9c8eel64b7e82 

383415da822579ffb23fbfa7f55ac650a22b2386ee0/anal vs 

is/1386108420/ 

5. 

httos://www. virustotal.com/en/file/3b25b67592b9b06fca05 

ab61abdl6559e7c94f9ac3c225e5ae00ddc5318923c6/anal 

ys 
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is/1386109278/ 

6. httos://www.facebook.com/helo/www/l 17257561692875 
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Continuing Facebook "Who's Viewed Your Profile" 
Campaign Affects Another 190k+ Users, Exposes Ma¬ 
licious Cybercrime Ecosystem (2013-12-11 05:01) 

Last week, immediately after I published the initial analysis 
detailing [l]a massive privacy-violating "Who's 
Viewed Your Profile" campaign, that was circulating 
across Facebook, the cybercriminals behind it, 
supposedly took it offline, with one of the main redirectors 
now pointing to 127.0.0.1. 

Not surprisingly, the primary campaign has multiple sub¬ 
campaigns still in circulation, which based on the lat¬ 
est statistics - embedded within the campaign on the same 
day they supposedly shut it down - has already exposed 

another 190,000-1- of the social network's users - the 
original campaign appears to have been launched in 2011 

having already exposed 800,000-1- users - to more rogue, 
privacy violating apps - JS.Febipos, Mindspark Interactive 

Network's MylmageConverter and Trojan- 
Ransomer.CLE, in this particular case. 

Let's dissect the still circulating campaign, expose the entire 
infrastructure supporting it, establish direct con¬ 
nections with it to related malicious campaigns, indicating 
that someone's either multi-tasking, or that their 

malicious/fraudulent activities share the same 
infrastructure, provide MDSsforthe currently served 
privacy-violating 



apps, as well as list the actual - currently live - hosting 
locations. 
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Sample redirection chain: 

hxxp.V/NXJXBMQ.tk/?l2358289 - 93.170.52.21; 

93.170.52.33-> hxxp://p2r0f3rviewer9890.co.nf/? 
sdk22222- 

222222222222222222222222222222 

2222222222222222222222222222222222222222222 

22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 

22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 

22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 

22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 

22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 

22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 

22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 


22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 


22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 

22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 

22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 

22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 

22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 

22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 

22222222222222222222222222222222222222222222222 
222222222222222222222 2222222ajsklfjasl 

fkjasfkija -> hxxp://prostats.vfl.us- 192.157.201.42 -> 
hxxp://whoviewsfb.uni.me/ch/profile.html- 82.208.40.11 

Redirection chain domain name reconnaissance: 
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NXJXBMQ.tk - 93.170.52.21; 93.170.52.33 
p2r0f3rviewer9890.co.nf - 83.125.22.192 
whoviewsfb.uni.me - 82.208.40.11 
prostats.vfl.us - 192.157.201.42 



whOstalks.uni.me - 192.157.201.42 


cracks4free.info - 192.157.201.42 

Known to have responded to 93.170.52.21 are also 
the following fraudulent domains: 

O.facebook.com.fpama.tk 

001200133184123129811.tk 

OOwwebhost.tk 

01203313441.tk 

01prof86841.tk 

029m821t9fs.4ieiii.tk 

031601.tk 

0333.tk 

0571baidu.tk 

05pr0flle21200.tk 

05pr0file214741.tk 

060uty80w.tk 

06emu.tk 

0886.tk 

Oakleycityn.tk 

OaoOgrecu.tk 



0fcf7.chantaljltaste.tk 

Olodllmtl.tk 

Olove.tk 

The following malicious MD5s are also known to 
have phoned back to 93.170.52.21 in the past: 

MD5: ee78fe57ad8dbac96b31f41f77eb5877 

MD5: bed006372fc76ec261dc9b223bl78438 

MD5: 58f9cbec80dldc3a5afbb7339d200e66 

MD5: fd0c6b284f7700d59199c55fdcd5bd8a 

MD5: 4bfeb3c882d816d37c3e6cbb749e44af 

MD5: 97ec866ac26e961976e050591f49fec3 

MD5: abal720bla6747de5d5345b5893ba2f5 

MD5: de5elf6fl37ecb903a018976fc04ell0 

MD5: a9669b65cabd6b25a32352ccf6c6c09a 

MD5: 003f4d9dafba9ee6e358b97b8026e354 

MD5: bab313e031b0c54d50fd82d221f7defc 

MD5: e6b766f627b91fd420bd93fab4bc323f 

MD5: d63656d9b051bf762203b0c4ac728231 

MD5: 935440d970ee5a6640418574f4569dab 

MD5: 2524e3b4ed3663f5650563cle431b05c 



MD5: f726646a41f95bl2ec26cf01flc89cf9 
MD5: a5af6c04d28fcea476827437caf4c681 
MD5: C7346327f86298fa5dadl60366a0cf26 
MD5: 912ed9ef063ae5b6b860fd34f3e8b83a 
MD5: b33aaa98ad706ced23d7c64aed0fcad6 
815 

Known to have responded to 93.170.52.33 are also 
the following fraudulent domains: 

Olwwa.tk 

Omsms.tk 

122.72.0.7sierra-web-www.szjlc-pcb.tk 

lz8dz.tk 

4flwz8.ga 

777898.ga 

888234.ml 

8eld7.tk 

abmomre.tk 

accountupdateinformation.tk 

ahram-org-eg.tk 


alex-fotos.tk 



allycam.tk 

amerdz.ml 

angelsmov.tk 

apis-drives-google.tk 

apis-googled rive.tk 

apple-idss.tk 

appleid.apple.com.cgi-bin.myappleid.woa.apple-idss.tk 
avtoshina.tk 

The following malicious MD5s are also known to 
have phoned back to 93.170.52.33 in the past: 

MD5: 2d951e649a8bbcbfa468f7916el88f9f 

MD5: dbe2c0788e74916eba251194ef783452 

MD5: 4bfeb3c882d816d37c3e6cbb749e44af 

MD5:dc01cldb51e26b585678701a64c94437 

MD5:61cc3de4e9a9865e0d239759ed3c7d5a 

MD5: 64505b7calce3clc0c4892abe8d86321 

MD5: 0b98356395b2463ea0f339572b9c95ef 

MD5: 9e87cl89d3cbf2fc2414934bef6e661b 

MD5: 48964a66bdc81b48f2fe7a31088c041b 

MD5: f81c85bea0e2251655b7112b352f302e 



The following MD5s are also known to have phoned 
back to 83.125.22.192 in the past: 

MD5: 3935b6efa7e5ee995f410f4efle613ab 

MD5: 64cl496elba2b7cb5c54a33c20be3e95 

MD5: 08f76aled5996d7dfdcf8226fe3f66b9 

MD5: f508d8034223c4ce233flbdbed265a3a 

Known to have responded to 82.208.40.11 are the 
following fraudulent domains: 

000e0062fb44cd5b277591349e070277.cz.cc 

003bclbl6c548efbc4f30790e0bcl7be.cz.cc 

0057ab88a8febe310f94107137731424.cz.cc 

008447a58c242b52cb69fe7dceea9a0b.cz.cc 

00a47e5e57323f23c66f2c2d5bcldebc.cz.cc 

00a9a591dle7aaf65639781bc73199d4.cz.cc 

00ad3353e0ba865a521da380ba4e0cc4.cz.cc 

00d55beb792962f7a04c66b85f2c6082.cz.cc 

00e3b9ece447187da3f43f98ab619a28.cz.cc 
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00eb52dbc433 Ia64e4fd96fdca890d9c.cz.cc 
00f59cfa33cd097e943a38a8f2e343ee.cz.cc 
00fbdb49398f0e5fd9d5572044d8934e.cz.cc 



010ab81241856dfca44dd9ade4489fbc.cz.cc 

011622fb7752328ebb60bd2c075flfe6.cz.cc 

011fbf88cfflcl8e05c2afb53d6e5ffd.cz.cc 

0133147433aeef23bbe60df0cbc4eac9.cz.cc 

013f98b7157ae3754d463e9d2346a549.cz.cc 

013fa3e9db6e476282b8e9flbac6d68e.cz.cc 

017c2bd33744c2d423a2a7598a0c0a4e.cz.cc 

019368blf3b364c0d3ec412680638f04.cz.cc 

The following malicious MD5s are also known to 
have phoned back to 82.208.40.11 in the past: 

MD5: 2c89dfcl706b31ba7delcl4e229279e5 

MD5: 6719d3e8606d91734cde25b8dfc4156f 

MD5: 61dcea6fbfl5b68be831bff8c5eb0cld 

MD5: 3875fa91f060d02bddd43ff8e0046588 

MD5: 929b72813bae47f78125ec30c58f3165 

MD5: 96fa2ea6db2e4e9f00605032723el777 

MD5: C46968386138739c81e219da6fb3ead5 

MD5: 3d627e0dbc5ac51761fa7cc7b202ec49 

MD5: d9714a0f7f881d3643125aa0461a30be 

MD5: 81171015a95073748994e463142ddcc7 



Known to have responded to 192.157.201.42 are 
also the following fraudulent domains: 

cracks4free.info 

pr0lotra.p9.org 

prostats.vfl.us 

whOprof.uni.me 

cracks4free.info 

Time to provide the actual, currently live, hosting locations 
for the served privacy-violating content. 
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Mindspark Interactive Network's MylmageConverter 
served URL: 

hxxp://down load, myimageconverter.com/index.jhtml? 
partner=^AZ O^xdmOSl 

Google Store served URLs: 

hxxps://ch rome.google.com/webstore/detail/miapmjacmjon 
mofofflhnbafpbmfapac - currently active 

hxxps://ch rome.google.com/webstore/detail/dllaajjfgpigkebl 
mlbamflggfjkgbej 

Dropbox Accounts serving the Android app (offline 
due to heavy usage), and the Firefox extension: 


hxxps://dl.dropboxusercontent.conn/s/rueyn3owrrpsbw4/who 
viewsS.xpi - currently online 

hxxps://dl.dropboxusercontent.conn/s/so3vm50w298qkto/W 
h oVi ewsYou rProfi I e. a p k 
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Facebook App URL: 

hxxp://apps.facebook.conn/dislike_button/ 

Google Docs served privacy-violating apps: 

hxxps://docs.google.com/uc?authuser=0 &id=0BziH- 
mKCuQwqVFIjUDBnTjFHdVE &export=download 

hxxps://docs.google.com/uc?authuser=0 &id=0BziH- 
nnKCuQwqRXBMLWZ4cVZJV2s &export=download 

hxxps://docs.google.com/uc?authuser=0 &id=0BziH- 
mKCuQwqOXlyNkoOVFBOdnM &export=download 

hxxps://docs.google.com/uc?authuser=0 &id=0BziH- 
mKCuQwqZmSyeUFudFhqclU &export=download 

hxxps://docs.google.com/uc?authuser=0 &id=0BziH- 
mKCuQwqbWpfNWSFalJmRGM &export=down load 

hxxps://docs.google.com/uc?authuser=0 &id=0BziH- 
mKCuQwqS3VlZkZBQjJGbjQ &export=download 

hxxps://docs.google.com/uc?authuser=0 &id=0BziH- 
nnKCuQwqX2xXbEJLbEY0Q3M &export=download 


hxxps://docs.google.com/uc?authuser=0 &id=OBziH- 
mKCuQwqMUSRVkJSWURxMEO &export=download 


hxxps://docs.google.com/uc?authuser=0 &id=OBziH- 
mKCuQwqVFIjUDBnTjFHdVE &export=download 

GA Account IDs: UA-23441223-3; UA-12798017-1 

MylmageConverter Affiliate Network ID: 

""AZ0""xdm081 

Detection rate for the served apps/extensions: 

[2] MD5: 30cf98d7dc97cae57f8d72487966d20b - 

detected by 19 out of 49 antivirus scanners as Trojan- 
Ransonner.CLE; 

Troj/Mdrop-FNZ 

[3] MD5: 88dd376527cl8639d3f8bf23f77b480e - 

detected by 8 out of 49 antivirus scanners as JS:Febipos-N 
[Trj]; 

JS/Febipos 
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Once executed, MD5: 

30cf98d7dc97cae57f8d72487966d20b also drops MD5: 
106320fcl282421f8f6cf5eb0206abee 

and MD5: 43b20dclb437e0e3af5ae7b9965e0392 on 

the affected hosts. It then phones back to 195.167.11.4: 


Two more MD5s from different malware campaigns, 
are known to have phoned back to 195.167.11.4: 


MD5:8192c574b8e96605438753c49510cd97 

MD5: d55de5e9ec25a80ddfecfb34d417b098 

The Privacy Policy ( hxxp://prostats.vfl.us/firefox/pp.html) 
and the EULA ( hxxp://prostats.vfl.us/firefox/eula.html) 
point to hxxp://disHkelt.com - 176.74.176.179. Not 
surprisingly, multiple malicious MD5s are also known to 
have 

previously interacted with the same IP: 

MD5:d366088e4823829798bd59a4d456a3df 
820 

MD5: 3c73db8202d084f33ab32069f40f58c8 

MD5: d7fcelec777c917f72530f79363fc6d3 

MD5: 83568d744ab226a0642233b93bfc7de6 

MD5: C84blbd7c2063f34900bbc9712d66e0f 

MD5: 58baa919900656dacaf39927bb614cfl 

MD5: a86e97246a98206869be78fd451029a0 

MD5: 70a0894397ac6f65c64693fl606fl231 

MD5: f9166237199133b24cd866b61d0f6cca 

MD5: 0f24ad046790ee863fd03dl9dbba7ea5 

Based on the latest performance metrics for the campaign, 
over 190,000 users have already interacted with this 


sub-campaign, since 4th of December, when I initially 
analyzed the primary campaign. 
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Monitoring of the campaign is naturally in progress. Updates 
will be posted as soon as new developments take place. 

This post has been reproduced from [4]Dancho 
Danchev's biog . Follow him [5]on Twitter 

1. httD://ddanchev.blo as DOt.com/2013/12/facebook- 
circulatin a -whos-viewed-vour.html 

2 . 

httDs://www. virustotal.com/en/file/b44aabb0e235d36377f3c 

d55ec4af596a89c0a7814103369d3f48d54d29ffcc7/anal vs 

is/1386720892/ 

3. 

httDs://www. virustotal.com/en/fi Ie/4106e0e655822060a3dc 

83777aa88554c4f6e295blf9474400d4820bd8e0d57b/anal 

ys 

is/1386720902/ 

4. httD://ddanchev.blo as DOt.com/ 

5. httD://twitter.com/danchodanchev 
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Continuing Facebook "Who's Viewed Your Profile" 
Campaign Affects Another 190k+ Users, Exposes Ma- 
















licious Cybercrime Ecosystem (2013-12-11 05:01) 

Last week, immediately after I published the initial analysis 
detailing [l]a massive privacy-violating "Who's 
Viewed Your Profile" campaign, that was circulating 
across Facebook, the cybercriminals behind it, 
supposedly took it offline, with one of the main redirectors 
now pointing to 127.0.0.1. 

Not surprisingly, the primary campaign has multiple sub¬ 
campaigns still in circulation, which based on the lat¬ 
est statistics - embedded within the campaign on the same 
day they supposedly shut it down - has already exposed 

another 190,000-1- of the social network's users - the 
original campaign appears to have been launched in 2011 

having already exposed 800,000-1- users - to more rogue, 
privacy violating apps - JS.Febipos, Mindspark Interactive 

Network's MylmageConverter and Trojan- 
Ransomer.CLE, in this particular case. 

Let's dissect the still circulating campaign, expose the entire 
infrastructure supporting it, establish direct con¬ 
nections with it to related malicious campaigns, indicating 
that someone's either multi-tasking, or that their 

malicious/fraudulent activities share the same 
infrastructure, provide MD5s for the currently served 
privacy-violating 

apps, as well as list the actual - currently live - hosting 
locations. 



Sample redirection chain: 

hxxp://NXJXBMQ.tk/?l2358289 - 93.170.52.21; 

93.170.52.33-> hxxp://p2r0f3rviewer9890.co.nf/? 
sdk22222- 

222222222222222222222222222222 

2222222222222222222222222222222222222222222 

22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 

22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 

22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 

22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 

22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 

22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 

22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 

22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 


22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 


22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 

22222222222222222222222222222222222222222222222 
222222222222222222222 22222222222222 



222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 22222222222222 

222222222222222222222222222222222222222222222222 
22222222222222222222 2222222ajsklfjasl 

fkjasfkija -> hxxp://prostats.vfl.us - 192.157.201.42 -> 
hxxp://whoviewsfb.uni.me/ch/profile.html- 82.208.40.11 

Redirection chain domain name reconnaissance: 
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NXJXBMQ.tk - 93.170.52.21; 93.170.52.33 
p2r0f3rviewer9890.co.nf - 83.125.22.192 
whoviewsfb.uni.me - 82.208.40.11 
prostats.vfl.us - 192.157.201.42 
whOstalks.uni.me - 192.157.201.42 
cracks4free.info - 192.157.201.42 

Known to have responded to 93.170.52.21 are aiso 
the foiiowing frauduient domains: 

O.facebook.com.fpama.tk 

001200133184123129811.tk 



OOwwebhost.tk 


01203313441.tk 

01prof86841.tk 

029m821t9fs.4ieiii.tk 

031601.tk 

0333.tk 

0571baidu.tk 

05pr0flle21200.tk 

05pr0file214741.tk 

060uty80w.tk 

06emu.tk 

0886.tk 

Oakleycityn.tk 

OaoOgrecu.tk 

0fcf7.chantaljltaste.tk 

Olodllmtl.tk 

Glove.tk 

The following malicious MD5s are also known to have 
phoned back to 93.170.52.21 in the past: 

MD5: ee78fe57ad8dbac96b31f41f77eb5877 



MD5: bed006372fc76ec261dc9b223bl78438 


MD5: 58f9cbec80dldc3a5afbb7339d200e66 
MD5: fd0c6b284f7700d59199c55fdcd5bd8a 
MD5: 4bfeb3c882d816d37c3e6cbb749e44af 
MD5: 97ec866ac26e961976e050591f49fec3 
MD5: abal720bla6747de5d5345b5893ba2f5 
MD5: de5elf6fl37ecb903a018976fc04ell0 
MD5: a9669b65cabd6b25a32352ccf6c6c09a 
MD5: 003f4d9dafba9ee6e358b97b8026e354 
MD5: bab313e031b0c54d50fd82d221f7defc 
MD5: e6b766f627b91fd420bd93fab4bc323f 
MD5: d63656d9b051bf762203b0c4ac728231 
MD5: 935440d970ee5a6640418574f4569dab 
MD5: 2524e3b4ed3663f5650563cle431b05c 
MD5: f726646a41f95bl2ec26cf01flc89cf9 
MD5: a5af6c04d28fcea476827437caf4c681 
MD5: C7346327f86298fa5dadl60366a0cf26 
MD5: 912ed9ef063ae5b6b860fd34f3e8b83a 
MD5: b33aaa98ad706ced23d7c64aed0fcad6 


825 



Known to have responded to 93.170.52.33 are also 
the following fraudulent domains: 

Olwwa.tk 

Omsms.tk 

122.72.0.7sierra-web-www.szjlc-pcb.tk 

IzSdz.tk 

4flwz8.ga 

777898.ga 

888234.ml 

8eld7.tk 

abmomre.tk 

accountupdateinformation.tk 

ahram-org-eg.tk 

alex-fotos.tk 

allycam.tk 

amerdz.ml 

angelsmov.tk 

apis-drives-google.tk 

apis-googled rive.tk 

apple-idss.tk 



appleid.apple.com.cgi-bin.myappleid.woa.apple-idss.tk 
avtoshina.tk 

The following malicious MD5s are also known to have 
phoned back to 93.170.52.33 in the past: 

MD5: 2d951e649a8bbcbfa468f7916el88f9f 

MD5: dbe2c0788e74916eba251194ef783452 

MD5: 4bfeb3c882d816d37c3e6cbb749e44af 

MD5:dc01cldb51e26b585678701a64c94437 

MD5:61cc3de4e9a9865e0d239759ed3c7d5a 

MD5: 64505b7calce3clc0c4892abe8d86321 

MD5: 0b98356395b2463ea0f339572b9c95ef 

MD5: 9e87cl89d3cbf2fc2414934bef6e661b 

MD5: 48964a66bdc81b48f2fe7a31088c041b 

MD5: f81c85bea0e2251655b7112b352f302e 

The following MD5s are also known to have phoned 
back to 83.125.22.192 in the past: 

MD5: 3935b6efa7e5ee995f410f4efle613ab 

MD5: 64cl496elba2b7cb5c54a33c20be3e95 

MD5: 08f76aled5996d7dfdcf8226fe3f66b9 


MD5: f508d8034223c4ce233flbdbed265a3a 



Known to have responded to 82.208.40.11 are the 
following fraudulent domains: 

000e0062fb44cd5b277591349e070277.cz.cc 

003bclbl6c548efbc4f30790e0bcl7be.cz.cc 

0057ab88a8febe310f94107137731424.cz.cc 

008447a58c242 b52cb69fe7dceea9a0b.cz.cc 

00a47e5e57323f23c66f2c2d5bcldebc.cz.cc 

00a9a591dle7aaf65639781bc73199d4.cz.cc 

00ad3353e0ba865a52 Ida380ba4e0cc4.cz.cc 

00d55beb792962f7a04c66b85f2c6082.cz.cc 

00e3b9ece447187da3f43f98ab619a28.cz.cc 
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00eb52dbc433 Ia64e4fd96fdca890d9c.cz.cc 
00f59cfa33cd097e943a38a8f2e343ee.cz.cc 
00fbdb49398f0e5fd9d5572044d8934e.cz.cc 
010ab81241856dfca44dd9ade4489fbc.cz.cc 
011622fb7752328ebb60bd2c075flfe6.cz.cc 
011fbf88cfflcl8e05c2afb53d6e5ffd.cz.cc 
0133147433aeef23bbe60df0cbc4eac9.cz.cc 
013f98b7157ae3754d463e9d2346a549.cz.cc 



013fa3e9db6e476282b8e9flbac6d68e.cz.cc 


017c2bd33744c2d423a2a7598a0c0a4e.cz.cc 

019368blf3b364c0d3ec412680638f04.cz.cc 

The following malicious MD5s are also known to have 
phoned back to 82.208.40.11 in the past: 

MD5: 2c89dfcl706b31ba7delcl4e229279e5 

MD5: 6719d3e8606d91734cde25b8dfc4156f 

MD5: 61dcea6fbfl5b68be831bff8c5eb0cld 

MD5: 3875fa91f060d02bddd43ff8e0046588 

MD5: 929b72813bae47f78125ec30c58f3165 

MD5: 96fa2ea6db2e4e9f00605032723el777 

MD5: C46968386138739c81e219da6fb3ead5 

MD5: 3d627e0dbc5ac51761fa7cc7b202ec49 

MD5: d9714a0f7f881d3643125aa0461a30be 

MD5: 81171015a95073748994e463142ddcc7 

Known to have responded to 192.157.201.42 are also 
the following fraudulent domains: 

cracks4free.info 

pr0lotra.p9.org 

prostats.vfl.us 

whOprof.uni.me 



cracks4free.info 


Time to provide the actual, currently live, hosting locations 
for the served privacy-violating content. 
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Who Viewed Your Profile 

More ways to experience Facebook 


Introducing the new "Who 
Viewed Your Profile" feature 
on facebook! 

Eve' wanted to see how views your 
profle? 

on Facebook? Now you can! 

Let yourself do t ateady! 

It’s Just an Extension to nstai. 




Ncm Feed 

3Ev»nt» 

PttOtOF 
2., PfiendF 
•p who‘> Wewed me 

^ A«*cehons 
fe GamM 


facebook 


INSTALL 


Mindspark Interactive Network's MylmageConverter 
served URL: 

hxxp://down load, my imageconverter.com/index.jhtml? 
partner=^AZ O^xdmOSl 


Google Store served URLs: 










hxxps://ch rome.google.com/webstore/detail/miapmjacmjonm 
ofofflhnbafpbmfapac - currently active 

hxxps://ch rome.google.com/webstore/detail/dllaajjfgpigkebl 
mlbamflggfjkgbej 

Dropbox Accounts serving the Android app (offline 
due to heavy usage), and the Firefox extension: 

hxxps://dl.dropboxusercontent.com/s/rueyn3owrrpsbw4/who 
viewsS.xpi - currently online 

hxxps://dl.dropboxusercontent.com/s/so3vm50w298qkto/Wh 
oV i e ws Yo u r P rofi I e. a p k 
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Error (509) 

This account s public links are generating too much traffic and have been temporarily 
disabled! 






Facebook App URL: 

hxxp://apps.facebook.com/dislike_button/ 

Google Docs served privacy-violating apps: 

hxxps://docs.google.com/uc?authuser=0 &id=0BziH- 
mKCuQwqVFIjUDBnTjFHdVE &export=download 

hxxps://docs.google.com/uc?authuser=0 &id=0BziFI- 
mKCuQwqRXBMLWZ4cVZJV2s &export=download 

hxxps://docs.google.com/uc?authuser=0 &id=0BziFI- 
mKCuQwqOXlyNkoOVFBOdnM &export=download 

hxxps://docs.google.com/uc?authuser=0 &id=0BziFI- 
mKCuQwqZmSyeUFudFhqclU &export=download 

hxxps://docs.google.com/uc?authuser=0 &id=0BziFI- 
mKCuQwqbWpfNWSFalJmRGM &export=download 

hxxps://docs.google.com/uc?authuser=0 &id=0BziFI- 
mKCuQwqSBVlZkZBQjJGbjQ &export=download 

hxxps://docs.google.com/uc?authuser=0 &id=0BziFI- 
mKCuQwqX2xXbEJLbEY0Q3M &export=download 

hxxps://docs.google.com/uc?authuser=0 &id=0BziFI- 
mKCuQwqMUSRVkJSWURxMEO &export=download 

hxxps://docs.google.com/uc?authuser=0 &id=0BziFI- 
mKCuQwqVFIjUDBnTjFFIdVE &export=download 

GA Account IDs: UA-23441223-3; UA-12798017-1 

MylmageConverter Affiliate Network iD: 

""AZ0""xdm081 



Detection rate for the served apps/extensions: 


[2] MD5: 30cf98d7dc97cae57f8d72487966d20b - 

detected by 19 out of 49 antivirus scanners as Trojan- 
Ransomer.CLE; 

Troj/Mdrop-FNZ 

[3] MD5: 88dd376527cl8639d3f8bf23f77b480e - 

detected by 8 out of 49 antivirus scanners as JS:Febipos-N 
[Trj]; 

JS/Febipos 
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Privacy Policy 

This policy describes how and why Dlshkelt LLC. Incorporated in the United States (*dba Dtsllkelt*) collects non-personally 
identifabie data from users and website visitors to Disbkelt's website (Dishkelt.coni), and how that data will be used. Dislikelt is 
committed to respecting the privacy of non personal Identifiable data gathered. 

Use of Data 

Dlshkelt uses non-personally identifabie data collected from users and website visitors in order to: 

To improve the quahty and functionahty of the Software and the website, to enhance your experience, to create new services, 
including customized services, to change or cancel existing content or services and for other internal and statistical purposes; 

-To present you relevant content, marketing materials and advertisements, by analyzing your interests from the web pages and 
you visit and online services that you use; 

-To provide you with support and handle Inquires; 

To enforce the Software EULA; 

-To compi)' with any apphcable law and assist law enforcement agencies as required; 

-To conduct surveys and market researches; 

-We may use anonymous, statistical or aggregated infonnation about the Software's use and share, pubhsh, post, disseminate, 
transmit or otherwise communicate or make available such information, to suppUers, business partners, sponsors, afflhates and 
any other third party, at our sole discretion. 

Cookies and Log Files 

Cookies may be used on some pages of our site. Cookies are small text files placed on your hard drive that assist us In providing a 
more custonuzed website experience. It is Dtshkelt's pohcy to use cookies to make navigation of our website easier for visitors. If 
you are concerned about coolaes, most browsers pemut individuals to dechno cookies. A user refusing cookies can still fully 
navigate our website. In order to properly manage our website we may anonymously log information on our systems, and Identify 
categories of visitors by Items such as domains and browser types. These statistics are used to manage the operational efficiency of 
our systems. 

Age Limit 

We never knowingly collect or maintain information at or on our website from those we actually know are under 18, and no part of 
our website is directed at or structured to attract anyone under 18. Visiton younger than 18 years of age may NOT use the Site 
and the Software and must LEAVE Immediately. 

Changes to Policy 

From time to time, we may revise this pohcy and we will post the revised Pohcy on the Site. Therefore, It is recommended that you 
read It periodically. .All substantial changes made to this pohcy will be notified on the Site, at our sole discretion, and will take 
effect immediately. 

Governing Law 

This Privacy Pohcy Is governed by and construed in accordance with the laws of the United States. You agree to submit any 
dispute arising out of your use of this Web site to the exclusive Jurisdiction of the courts of THE UNITED STATES. 

Contact us 

Please direct all questions in connection with this Pohcy via e-mail to: info^http://Dlshkeltcom/ 


Once executed, MD5: 

30cf98d7dc97cae57f8d72487966d20b also drops MD5: 
106320fcl282421f8f6cf5eb0206abee 

and MD5: 43b20dclb437e0e3af5ae7b9965e0392 on 

the affected hosts. It then phones back to 195.167.11.4: 


Two more MD5s from different malware campaigns, 
are known to have phoned back to 195.167.11.4: 



MD5:8192c574b8e96605438753c49510cd97 


MD5: d55de5e9ec25a80ddfecfb34d417b098 

The Privacy Policy ( hxxp://prostats.vfl.us/firefox/pp.htmI) 
and the EULA ( hxxp://prostats.vfl.us/firefox/eula.html) point 
to hxxp .-//dislike It com - 176.74.176.179. Not surprisingly, 
multiple malicious MD5s are also known to have 

previously interacted with the same IP: 

MD5: d366088e4823829798bd59a4d456a3df 
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MD5: 3c73db8202d084f33ab32069f40f58c8 
MD5: d7fcelec777c917f72530f79363fc6d3 
MD5: 83568d744ab226a0642233b93bfc7de6 
MD5: C84blbd7c2063f34900bbc9712d66e0f 
MD5: 58baa919900656dacaf39927bb614cfl 









MD5: a86e97246a98206869be78fd451029a0 


MD5: 70a0894397ac6f65c64693fl606fl231 

MD5: f9166237199133b24cd866b61d0f6cca 

MD5: 0f24ad046790ee863fd03dl9dbba7ea5 

Based on the latest performance metrics for the campaign, 
over 190,000 users have already interacted with this 

sub-campaign, since 4th of December, when I initially 
analyzed the primary campaign. 
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pro6Uts.vfi.us/ 


19L278 




Clicks 



Where Thu bitly Link Was Shared 
Oihtr 

191.278 . 


Gcofraphic Dutrtbuiion of Clicks 



■■y- 

Monitoring of the campaign is naturally in progress. Updates 
will be posted as soon as new developments take place. 

1. httD://ddanchev.blo as DOt.com/2013/12/facebook- 
circulatin a -whos-viewed-vour.html 

2 . 

httDs://www.vi rustotal.com/en/file/b44aabb0e235d36377f3c 

d55ec4af596a89cQa78141Q3369d3f48d54d29ffcc7/anal vs 












is/1386720892/ 


3. 

httDs://www.vi rustotal.com/en/fi Ie/4106e0e655822060a3dc8 

3777aa88554c4f6e295blf94744QQd482Qbd8eQd57b/anal vs 

is/1386720902/ 

832 

2 . 

2014 

833 

2.1 

January 
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Webroot Threat Blog 

Internet Security Threat Updates & Insights 


READ 

Webroot Btogs 

H WATCH 

CONNECT 
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Community 
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Support? 
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happy to at i^iver you 
questions, but t you're iooMig 
for otif off.-at suppoi’ 
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Top consumer security predictions for 2014 

December 31it. 2013 by tyier Molfm 

Top Preuctionstor 2014 FBt/tCC MoneyPaK Cryptotoclcer Rogues As trs yea'comes to a close we ve seen some 
.'T^^^asuraOle progrtti on tlw r'lt'atKXi tech" t rar maNrare We re gong to give you sof": asqht into some ot the 
top Ih'r^v- ot 2013 anrt mnat 4 couW mean tor 2014 FBCr^E t.loneyPak We T,--y some rngmening mprovements 
rth Ransnmurire " . yeFi Ff^iCE MofiryPaF or Win32 : -v.v-ah jge hit tothePC comnYr- Ty n-: 
seen 2012 S -aasi ' “lii 2013 mat it was t~cakeo to be w •- ot ti -,- most - - ■ .mg and ditscuit Ran. -iware to 
Once dropped on your ( ) 


cowniiw KAOPIG 


Posted in FBI Ransofmidre ipy».sM Rfri--;»."ch 

Tagged 20i4pr*<ickons consumtfVir*Ms Ualiooui matarar* ptMshmg pftdKrtont Tbrtal R«s«arcfi 
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Cybercrime Trends 2013 - Year in Review 

December 27 tn. 2013 by Dancho Danenev 

tt s that lime ot the year' The momem «men we reltect back on the cybercnme tactics tecnnwjues and procedues 
iTTPslthi' : :iaped20l3 m order to constructively speculate on what s to come lor 2014 in lenns ot'r=>ii0u'en' and 
mj ; - campaiOi:-. orchestrated by oppofturwsK cybercnmmai adversanei “;!T;.i-T. the globe Throughout 2013 
•c c“‘-toed to if-- •'i and pronie ttps which were crucial tor the success prcfcabiity and growth ot the 
-ybec; : ; inlemalionally such as tor instance aidespread proMeration ol tf:- campaigns 

prol«:s-ma; sr" “Yl the ir^nementahon ot bass BusinessreconomKimarkeling cocKeots r-p-o-.-cd QA (Qua-y 
Assurance), vertical mtegrabon in an attempt to occupy I | 


Summarizing Webroot's Threat Biog Posts for 
December (2014-01-06 17:07) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Biog for December, 2013. You can 

subscribe to [2]Webroot's Threat Biog RSS Feed, or 

follow me on Twitter: 

01. [3]Cybercrime-frienclly VPN service provider pitches 
itself as being 'recommended by Edward Snowden' 












02. [4]Commercial Windows-based compromised Web shells 
management application spotted in the wild 

03. [5]Compromised legitimate Web sites expose users to 
malicious Java/Symbian/Android "Browser Updates" 

04. [6]Malicious multi-hop iframe campaign affects 
thousands of Web sites, leads to a cocktail of client-side 
exploits 

- part two 

05. [7]How cybercriminals efficiently violate YouTube, 
Facebook, Twitter, Instagram, SoundCloud and Google-F's ToS 

06. [8]Tumblr under fire from DIY CAPTCHA-solving, proxies- 
supporting automatic account registration tools 

07. [9]Newly launched 'HTTP-based botnet setup as a 
service' empowers novice cybercriminals with bulletproof 

hosting capabilities - part three 
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08. [10]Cybercriminals offer fellow cybercriminalstraining in 
Operational Security (OPSEC) 

09. [ll]Fake 'WhatsApp Missed Voicemail' themed emails 
lead to pharmaceutical scams 

10. [12]A peek inside the booming underground market for 
stealth Bitcoin/Litecoin mining tools 

11. [13]Cybercrime Trends 2013 - Year in Review 

This post has been reproduced from [14]Dancho 
Danchev's blog . Follow him [15]on Twitter. 
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See also nonsense that does not follov.' anymore GgG th ese people do not pa y 
attention to v/hat you v/ear ? 9h4NcvDD27IyXWa — md 19 

others. 



odd minutes of the live broadcast! IwJ Dress-through the 
difficult moments of the artist! 7QqQW vDD2 

Oc ““ "5sof ie bro? ‘3st ' 0Dress _ 


It doei! 3ut 
^3DpO 


i'x “ -^Tes v06 Rrst !>"ie “vitl y™ Ad: 


Like Comment • Share 


Fake Adobe Flash Player Serving Campaign Utilizes 
Google Hosting/Redirection Infrastructure, Spreads 

Across Facebook (2014-01-07 21:09) 

What "better" time to spread malicious "joy", then during the 
Holidays? Cybercriminals are still busy maintaining a fake 
Adobe Flash Player serving, Facebook spreading campaign, 
which I originally intercepted during the Holidays, 

utilizing Google redirectors/hosting services. Despite the 
modest - naturally conservative estimate - click-through 

rate (45,000 clicks) compared to that of the most recently 
profiled similar [IjFebipos spreading campaign, which 

[2]resulted in over 1 million clicks, the campaign 
remains active, and continues tricking users into installing 
the rogue Adobe Flash Player, resulting in the continued 
spread of the campaign, on the Facebook Walls of socially 
engineered 


users. 








Let's dissect the campaign, expose its 
infrastructure/command and control servers, and provide 
MD5s of the served 

malware. 

Spamvertised 
Facebook 
URL+redirection 
chain: 

hxxp://goo. gl/QeshtO] 

hxxp://goo. gl/vVbrHp-, 

hxxp://goo. gl/OoSJVz, hxxp://goo. gl/38qlq8] 
hxxp://goo.gl/QNQhc5 -> 

hxxps://9dvme0ll<2r0osqg3qb3rll<95z. storage.googleapis. co 
m/ql fwum32gld35 iab9d2u4o35bjsvhjhu309.html?ref= 12 -> 
hxxp://goo.gl/wKXmel -> hxxp://www.i-justice.org/g-o- 
27312-gooenn. him I 

(94.23.166.27) 

-> 

hxxp://f3c4 VaOdOl f3ec343f5 7- 
2ba5bba9317af81 ae21 c42000295a455. r9. cf4. 


rackcdn. com/244 71 bmbqvO7595?ref=27312 


Staff 



sub=27312 


Sisub 

_\d=27312 

-> 

hxxp://www.eklentidunyasi.com/dl.php (176.31.2.155) or 
hxxp://www.agentofex.com/dl.php (176.227.218.99; 
www.puee.in) -> 

hxxp.7/docs, google. com/uc?export=do wnload 

&id=0B6DFdqpSFDAISmpsTI<ZI<T2hvN28 

or 

hxxps://doc- 

0g-4o- 

docs.googleusercontent.com/docs/securesc/ha0ro937gcu 

c7l7deffl<sulhg5h 7mbpl/7fbm9gn- 

6 7t8tl 8r8etd00juf0rvmrrmh/l387836000000/1 

6300082901287672546/*/0BzU3dAROGry0TIMxN3F2STN0Z3 

M 

GA Account ID: UA-36486228-1 
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http://goo.gl/wKXme1 


45,500 


hnp://www.Hufttic*.or9/g‘0’27312i)00«nn.html 


. • • Tv. 1 •.v"> 



’ •' all lima 



Referrert 

0«wr 

O a wrt 



Countri«« Platformt 

Detection rate for the served malware: [3]MD5: 
30118bec581f80de46445aef79e6cfl0 - detected by 33 
out of 48 

antivirus scanners as Trojan-Ransom.Win32.Blocker.dbud. 
Once executed, the sample phones back to: 
hxxp://176.31.2.155/extFiles/control8.txt 
hxxp ://l 76.31.2.15 5/extFiles/NewFi Ie0008.exe 
hxxp://176.31.2.155/extFiles/version.txt 






hxxp://176.31.2.155/extFiles/list.txt 

hxxp://176.31.2.155/extFiles/list.txt 

hxxp://176.31.2.155/extFiles/buflash.xpi 

hxxp ://l 76.31.2.15 5/extFiles/bu nel0.zip 

hxxp://176.31.2.155/extFiles/private/sandbox _status.php 

hxxp ://l 76.31.2.15 5/extFi I es/extFi les/yok.txt 
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initall flash Ptaycr 


rfy 15,54 7 Idsyjgc 

& video ihart: 13 J n. ‘J 

Navigator Social Newtork 

■ Q fac«6ooit 


4b-; _■ 


Tnfitt«f 



The files were offline in time of processing of the sample. 

Related MD5s for the same served fake Adobe Flash 
Player: 


MD5: 61f5af5d0067ea8dl0f0764ff3c82066 
MD5: 80b9ef43183abdd5b22482bclcea7b36 
MD5: 2da7cb838234eebbca3115fcafd6f513 
MD5:40ae8d901102ee3951c241b394eb94e9 
MD5: 30118bec581f80de46445aef79e6cfl0 
MD5: 2de9865032e997d59c03bfd8435flada 
MD5: fce013bec7b3651cl00b6887c0al2eee 
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Adobe IbI 


Adobe has encountered a problem and needs to close. We are sorry for the 
inconvenience. 


If you were in the middle of something, the information you were working on might be lost. 

Please tell Microsoft about this problem. 

We have created an error report that you can send to help us improve Adobe. We will treat 
this report as confidential and anonymous. 

What data does this error report contain? 

'w’l'n,' should I report to Microsoft? 

Microsoft Error Reporting cannot connect to the reporting servers at this time. If you would 
like to be prompted to report later, oliok Send Report Later. 


Send Report Later 


[ Don't Send ] 


Once executed, MD5: 

fce013bec7b3651cl00b6887c0al2eee phones back 
to: 


















hxxp://176.227.218.99/extFiles/controll7.txt 

hxxp://176.227.218.99/extFiles/NewFile00017.exe 

hxxp://46.163.100.240/NewFile00017.exe 

hxxp://176.227.218.99/NewFile00017.exe 

hxxp://176.227.218.99/extFiles/extFiles/version.txt 

hxxp://176.227.218.99/extFiles/extFiles/list.txt 

hxxp://176.227.218.99/extFiles/extFiles/buflash.xpi 

hxxp://176.227.218.99/extFiles/extFiles/bunel0.zip 

Files remain offline in the time of processing of the sample. 

This post has been reproduced from [4]Dancho 
Danchev's blog . Follow him [5]on Twitter. 

1 . httD://ddanchev.blo as DOt.com/2013/12/continuin a- 
facebook-whos-viewed-vour.html 

2. httD://ddanchev.blo as DOt.com/2013/12/facebook- 
circulatin a -whos-viewed-vour.html 

3. 

https://www.virustotal.com/en/file/adecl707efaal496691d5 

d4bl2daaadff893b0f0ad68b33699e5dd7dd6f8eb58/anal vs 

is/1387838333/ 

4. http://ddanchev.blo as pot.com/ 

5. http://twitter.com/danchodanchev 
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Fake Adobe Flash Player Serving Campaign Utilizes 
Google Hosting/Redirection Infrastructure, Spreads 

Across Facebook (2014-01-07 21:09) 

What "better" time to spread malicious "joy", then during the 
Holidays? Cybercriminals are still busy maintaining a fake 
Adobe Flash Player serving, Facebook spreading campaign, 
which I originally intercepted during the Holidays, 

utilizing Google redirectors/hosting services. Despite the 
modest - naturally conservative estimate - click-through 

rate (45,000 clicks) compared to that of the most recently 
profiled similar [IjFebipos spreading campaign, which 

[2]resulted in over 1 million clicks, the campaign 
remains active, and continues tricking users into installing 
the rogue Adobe Flash Player, resulting in the continued 
spread of the campaign, on the Facebook Walls of socially 
engineered 


users. 








Let's dissect the campaign, expose its 
infrastructure/command and control servers, and provide 
MD5s of the served 

malware. 

Spamvertised 
Facebook 
URL+redirection 
chain: 

hxxp://goo. gl/QeshtO] 

hxxp://goo. gl/vVbrHp-, 

hxxp://goo. gl/OoSJVz, hxxp://goo. gl/38qlq8] 
hxxp://goo.gl/QNQhc5 -> 

hxxps://9dvme0ll<2r0osqg3qb3rll<95z. storage.googleapis. co 
m/ql fwum32gld35 iab9d2u4o35bjsvhjhu309.html?ref= 12 -> 
hxxp://goo.gl/wKXmel -> hxxp://www.i-justice.org/g-o- 
27312-gooenn. him I 

(94.23.166.27) 

-> 

hxxp://f3c4 VaOdOl f3ec343f5 7- 
2ba5bba9317af81 ae21 c42000295a455. r9. cf4. 


rackcdn. com/244 71 bmbqvO7595?ref=27312 


Staff 



sub=27312 


Sisub 

_\d=27312 

-> 

hxxp://www.eklentidunyasi.com/dl.php (176.31.2.155) or 
hxxp://www.agentofex.com/dl.php (176.227.218.99; 
www.puee.in) -> 

hxxp.7/docs, google. com/uc?export=do wnload 

&id=0B6DFdqpSFDAISmpsTI<ZI<T2hvN28 

or 

hxxps://doc- 

0g-4o- 

docs.googleusercontent.com/docs/securesc/ha0ro937gcu 

c7l7deffl<sulhg5h 7mbpl/7fbm9gn- 
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GA Account ID: UA-36486228-1 
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Countri«« Platformt 

Detection rate for the served malware: [3]MD5: 
30118bec581f80de46445aef79e6cfl0 - detected by 33 
out of 48 

antivirus scanners as Trojan-Ransom.Win32.Blocker.dbud. 
Once executed, the sample phones back to: 
hxxp://176.31.2.155/extFiles/control8.txt 
hxxp ://l 76.31.2.15 5/extFiles/NewFi Ie0008.exe 
hxxp://176.31.2.155/extFiles/version.txt 






hxxp://176.31.2.155/extFiles/list.txt 

hxxp://176.31.2.155/extFiles/list.txt 

hxxp://176.31.2.155/extFiles/buflash.xpi 

hxxp ://l 76.31.2.15 5/extFiles/bu nel0.zip 

hxxp://176.31.2.155/extFiles/private/sandbox _status.php 

hxxp ://l 76.31.2.15 5/extFi I es/extFi les/yok.txt 
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The files were offline in time of processing of the sample. 

Related MD5s for the same served fake Adobe Flash 
Player: 


MD5: 61f5af5d0067ea8dl0f0764ff3c82066 
MD5: 80b9ef43183abdd5b22482bclcea7b36 
MD5: 2da7cb838234eebbca3115fcafd6f513 
MD5:40ae8d901102ee3951c241b394eb94e9 
MD5: 30118bec581f80de46445aef79e6cfl0 
MD5: 2de9865032e997d59c03bfd8435flada 
MD5: fce013bec7b3651cl00b6887c0al2eee 
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Adobe IbI 


Adobe has encountered a problem and needs to close. We are sorry for the 
inconvenience. 


If you were in the middle of something, the information you were working on might be lost. 

Please tell Microsoft about this problem. 

We have created an error report that you can send to help us improve Adobe. We will treat 
this report as confidential and anonymous. 

What data does this error report contain? 

'w’l'n,' should I report to Microsoft? 

Microsoft Error Reporting cannot connect to the reporting servers at this time. If you would 
like to be prompted to report later, oliok Send Report Later. 


Send Report Later 


[ Don't Send ] 


Once executed, MD5: 

fce013bec7b3651cl00b6887c0al2eee phones back 
to: 


















hxxp://176.227.218.99/extFiles/controll7.txt 

hxxp://176.227.218.99/extFiles/NewFile00017.exe 

hxxp://46.163.100.240/NewFile00017.exe 

hxxp://176.227.218.99/NewFile00017.exe 

hxxp://176.227.218.99/extFiles/extFiles/version.txt 

hxxp://176.227.218.99/extFiles/extFiles/list.txt 

hxxp://176.227.218.99/extFiles/extFiles/buflash.xpi 

hxxp://176.227.218.99/extFiles/extFiles/bunel0.zip 

Files remain offline in the time of processing of the sample. 

1. httD://ddanchev.blo as DOt.com/2013/12/continuin a- 
facebook-whos-viewed-vour.html 

2. httD://ddanchev.blo as DOt.com/2013/12/facebook- 
circulatin a -whos-viewed-vour.html 

3. 

httDs://www.vi rustotal.com/en/file/adecl707efaal496691d5 

d4bl2daaadff893b0fQad68b33699e5dd7dd6f8eb58/anal vs 

is/1387838333/ 


844 














Who Views Your Profile 

i V«^ !ii k.iwiw nvtii- 1% ^*n[il«- r>« «+h> h(»*, v>*'Wt>;l 't wt'M' yimi «WIT«* 

Hjw y»:*j < Jt- ! 

< U> lU'ii.'r* 



facebook 


□ 1=1 

r?-- ,..:iago iXi 

My profile has been viev^ed today 712 times. 
Top 5 Visitors: 




visits 

2- 


its 

3- 


j visits 

4- 


38 visits 

5- 


■ 16 visits 


See v^ho has viewed your profile HERE: 

http://GXOMZRC.tk/774604844 — . /ith 48 others. 

Dissecting the Ongoing Febipos/Carfekab Rogue 
Chrome/Firefox Extensions Dropping, Facebook 
Circuiat- 

ing Maiicious Campaign (2014-01-09 17:21) 

And, (not surprisingly) they're back! The cybercriminal(s) 
behind the 1 million+ clicks strong Febipos/Carfekab rogue 

Chrome/Fi refox extensions dropping malicious campaign, 
continue utilizing the already infected 'population' for 








the purpose of disseminating the newly packed/modified 
extensions/samples across Facebook, with yet another 

campaign that I'll dissect in this post. 

Catch up with previous research dissecting the 
previous campaigns: 

• [l]Facebook Circulating 'Who's Viewed Your Profile' 
Campaign Exposes 800k+ Users to CrossRider PUA/Rogue 

Firefox Add-ons/Android Adware AirPush 


• [2]Continuing Facebook "Who's Viewed Your Profile" 
Campaign Affects Another 190k+ Users, Exposes Malicious 

Cybercrime Ecosystem 


Redirection chain: hxxp://GXOMZRC.tk/?74604844 
(93.170.52.34) -> hxxp://wqeuijlks.igg.biz/? 
ascljas22222222-222222 (88.198.132.3) -> 
hxxp://prostats. vfl.us/s.htm -> hxxp://vidsvines.com/d/-> 
hxxp://vidsvines.com/d/firefox 845 



O You***** OA wpof yAur MK* OownioM i« 

Now 90 to c»>row;'> <ftroc?»»»ti rt»nnon»/ 

* I. ■ • • • 

*■ C ft| 

, ^ 

All you have to do now is drag the CRX 
file from the bottom toolbar to the 
extensions pagej^ 

^ c 











-> 

hxxp://vidsvines. com/d/ch/-> 

hxxp://vidsvines.com/d/ch/profile2.html (192.157.201.42) 

First GA Account ID: UA-23441223-3 

Second GA Account ID: UA-25941572-1 

Actual malicious content hosting locations 
(legitimate infrastructure again): 

hxxps://docs.google. com/uc?authuser=0 &id=0BziH- 
mKCuQwqVFgyZzFzRlo3YTQ &export=download 

hxxps://dl. dropboxusercontent. com/s/tj9n05qhjvnl<g4s/whovi 
ewsfam.xp i 

Detection rates for the served rogue Chrome/Firefox 
extensions: 

[3] MD5: 0ee44443c73bd9b072c7fldbb6b7b591 

[4] MD5: C4953f63ab46c796e23388f9clcfa273 

[5] MD5: 5bcec283594e863f5dd238e2d22446c7 
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Who Viewed Your Profile 

More ways to experience Facebook 


Introducing the new "Who 
Viewed Your Profile" feature 
on facebook! 

Ever wanted to see how views your 
profite? 

on Facebook? Now you can! 

Let yourself do it already! 

It's Just an Extenson to rstal. 



INSTALL 


Once executed, [6]MD5: 

5bcec283594e863f5dd238e2d22446c7 drops MD5: 
deb483270b9ed5da7fcfld01a6fde8a7 

and MD5: 90b77a477d815c771559d08ea80cc0c8 it 

then phones back to 212.117.32.20. 
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; Data; 

Related malicious MD5s known to have phoned back 
to the same IP: 

MD5: 33408f35623dc5bb4a3bde09fa45f86b 

MD5: 56a54a700ae5700c3cd3da9c2ad226cf 

MD5: f86812305039156blda8fc29bdddebb7 

MD5: ede8f20d78a81c7da76ad7def37ebbdd 

This post has been reproduced from [7]Dancho 
Danchev's blog . Follow him [8]on Twitter 

1 . httD://ddanchev.blo as Dot.com/2Q13/12/facebook- 
circulatin a -whos-viewed-vour.html 


2. httD://ddanchev.blo as DOt.com/2013/12/facebook- 
circulatin a -whos-viewed-vour.html 













3. 

httDs://www.vi rustotal.com/en/fi Ie/ae0ac523f752b320a 103 b 

efeacfc960e6f86b01343d7598f48664afcb4cedd71/anal vs 

is/1389277417/ 

4. 

https://www.virustotal.com/en/file/dd46cd6ec5bl39f55a9dd 

ec75fed261568c06abfl883cf28dclf5a3491c3eQcl/anal vs 

is/1389277591/ 

5. 

httos://www. Virustotal.com/en/file/7737cf0c74e5e84f543a37 

9ff9e42ac372f78ff0e8eb4c847a7bc4d07f8bl 368/anal vs 

is/1389277807/ 

6 . 

httos://www. Virustotal.com/en/file/7737cf0c74e5e84f543a37 

9ff9e42ac372f78ff0e8eb4c847a7bc4d07f8bl 368/anal vs 

is/1389277807/ 

7. htto://ddanchev.blo as oot.com/ 

8. htto://twitter.com/danchodanchev 
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My profile has been viev^ed today 712 times. 
Top 5 Visitors: 




visits 

2- 


its 

3- 


j visits 

4- 


38 visits 

5- 


■ 16 visits 


See v^ho has viewed your profile HERE: 

http://GXOMZRC.tk/774604844 — . /ith 48 others. 

Dissecting the Ongoing Febipos/Carfekab Rogue 
Chrome/Firefox Extensions Dropping, Facebook 
Circuiat- 

ing Maiicious Campaign (2014-01-09 17:21) 

And, (not surprisingly) they're back! The cybercriminal(s) 
behind the 1 million+ clicks strong Febipos/Carfekab rogue 

Chrome/Fi refox extensions dropping malicious campaign, 
continue utilizing the already infected 'population' for 








the purpose of disseminating the newly packed/modified 
extensions/samples across Facebook, with yet another 

campaign that I'll dissect in this post. 

Catch up with previous research dissecting the 
previous campaigns: 

• [l]Facebook Circulating 'Who's Viewed Your Profile' 
Campaign Exposes 800k+ Users to CrossRider PUA/Rogue 

Firefox Add-ons/Android Adware AirPush 


• [2]Continuing Facebook "Who's Viewed Your Profile" 
Campaign Affects Another 190k+ Users, Exposes Malicious 

Cybercrime Ecosystem 


Redirection chain: hxxp://GXOMZRC.tk/?74604844 
(93.170.52.34) -> hxxp://wqeuijlks.igg.biz/? 
ascljas22222222-222222 (88.198.132.3) -> 
hxxp://prostats. vfl.us/s.htm -> hxxp://vidsvines.com/d/-> 
hxxp://vidsvines. com/d/firefox 849 
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file from the bottom toolbar to the 
extensions pagej^ 
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-> 

hxxp://vidsvines. com/d/ch/-> 

hxxp://vidsvines.com/d/ch/profile2.html (192.157.201.42) 

First GA Account ID: UA-23441223-3 

Second GA Account ID: UA-25941572-1 

Actual malicious content hosting locations 
(legitimate infrastructure again): 

hxxps://docs.google. com/uc?authuser=0 &id=0BziH- 
mKCuQwqVFgyZzFzRlo3YTQ &export=download 

hxxps://dl. dropboxusercontent. com/s/tj9n05qhjvnl<g4s/whovi 
ewsfam.xp i 

Detection rates for the served rogue Chrome/Firefox 
extensions: 

[3] MD5: 0ee44443c73bd9b072c7fldbb6b7b591 

[4] MD5: C4953f63ab46c796e23388f9clcfa273 

[5] MD5: 5bcec283594e863f5dd238e2d22446c7 
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Who Viewed Your Profile 

More ways to experience Facebook 


Introducing the new "Who 
Viewed Your Profile" feature 
on facebook! 

Ever wanted to see how views your 
profite? 

on Facebook? Now you can! 

Let yourself do it already! 

It's Just an Extenson to rstal. 



INSTALL 


Once executed, [6]MD5: 

5bcec283594e863f5dd238e2d22446c7 drops MD5: 
deb483270b9ed5da7fcfld01a6fde8a7 

and MD5: 90b77a477d815c771559d08ea80cc0c8 it 

then phones back to 212.117.32.20. 
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; Data; 

Related malicious MD5s known to have phoned back 
to the same IP: 

MD5: 33408f35623dc5bb4a3bde09fa45f86b 

MD5: 56a54a700ae5700c3cd3da9c2ad226cf 

MD5: f86812305039156blda8fc29bdddebb7 

MD5: ede8f20d78a81c7da76ad7def37ebbdd 

Updates will be posted as soon as new developments 
take place. 

1. httD://ddanchev.blo as Dot.com/2Q13/12/facebook- 
circulatin a -whos-viewed-vour.html 


2. httD://ddanchev.blo as DOt.com/2013/12/facebook- 
circulatin a -whos-viewed-vour.html 













3. 

httDs://www.vi rustotal.com/en/fi Ie/ae0ac523f752b320a 103 b 

efeacfc960e6f86b01343d7598f48664afcb4cedd71/anal vs 

is/1389277417/ 

4. 

https://www.virustotal.com/en/file/dd46cd6ec5bl39f55a9dd 

ec75fed261568c06abfl883cf28dclf5a3491c3eQcl/anal vs 

is/1389277591/ 

5. 

httos://www. Virustotal.com/en/file/7737cf0c74e5e84f543a37 

9ff9e42ac372f78ff0e8eb4c847a7bc4d07f8bl 368/anal vs 

is/1389277807/ 

6 . 

httos://www. Virustotal.com/en/file/7737cf0c74e5e84f543a37 

9ff9e42ac372f78ff0e8eb4c847a7bc4d07f8bl 368/anal vs 

is/1389277807/ 
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Reyting ugruna her gun neler goruyoruz vallahi yazik!8 Iyghl8gds4i Valla bunlarda 
kisilik falan kalmamis kardesimX Bunlar da hakli hie bir yetenegi olmayan insanlar 
sonucta bunlar!Y zsiqsemi — with^^^^^^^^Jand 18 others. 



Ivideoyu iziedim. Rezillild! 


Yari dpiak bir sekHde programa kablmak? Arkadaslar Izleyin yorumunuzu 
beldiyorum! 
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Facebook Spreading, 

Amazon AWS/Cloudflare/Google Docs Hosted 
Campaign, 

Serves P2P- 

Worm.Win32.Paievo (2014-01-16 21:27) 

A currently circulating across Facebook, multi-layered 
monetization tactics utilizing, Turkish users targeting, 
malicious 

campaign, is attempting to trick users into thinking that they 
need to install a fake Adobe Flash Player, displayed 

on a fake YouTube Video page, ultimately serving P2P- 
Worm.Win32.Paievo on the hosts of the socially engineered 

(international) users. 

Let's dissect the campaign, expose its infrastructure in terms 
of shortened URLs, redirectors, affiliate network 

IDs, landing pages, pseudo-random Facebook content 
generation phone back URLs, legitimate infrastructure 
hosted 

content, and provide MD5s for the served malicious content. 

Sample 

redirection 

chain: 

hxxp://m3mi. com/10469 



hxxp://facebookikiziniz. com/yon. html?MYt- 
DmZp4xjbUP9AOOHLj 
-> 

hxxp://facebookikiziniz. com/yon. html? 

M YtDmZp4xjb UP9A OOHLj 

-> 


hxxp://facebookikiziniz. com/yon. html? 
M YtDmZp4xjb UP9A OOHLj 
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Internal campaign redirection structure+associated 
affiiiate network iDs+ianding URLs: 



hxxp://mobiltrafik. s3. amazon a ws. com/mobil. h tml 

hxxp.y/mobiltrafik. s3. amazona ws. com/yurtdisi-anroid. html 
hxxp://ad.adrttt.com/aff_c?offer_id=l 743 &aff_id=3236 
&S0 urce =yurtdisi - > 

hxxp.7/ads. glispa. com/s W/49399/CD353/102 
3a788c68361b710b87b8ed4851a-> 
hxxps.V/play. google, com/store/a pps/d eta Us ? 
id=com.mobogenie.marl<etstl 

hxxp.7/mobiltrafik. s3. amazona ws. com/yurtdisi-ios. html 
-> 

hxxp.7/ad. rdrttt. com/a ff 
c? offer 


ld=302 


&aff 

_ld=1014 

-> 

hxxp://www. freehardcorepassport. com/?t=ll 6216,1,96,0 
&x=pornfr 

_tracker=9208KOm00B0193lbJI3yk01BNW00005m 

hxxp./Zmoblltrafik. s3. amazona ws. com/yurtdisiweb. html - > 
hxxp.7/ad.rdrttt.com/aff_c?offer_ld=302 &aff_ld=l014 

-> hxxp://ads.polluxnetwork. com/hosted/w2m.php? 
tld=1023e4f08cae470c2f74aa 3dle2dl7 &old=6200 
&ald=758 



-> hxxp://m.pornfr.3013.idhad.com/xtrem/index. wimi 


hxxp://mobiitrafii<. s3. amazona ws. com/androidwifi. htmi - > 
hxxp://ad.adrttt.com/aff_c?offer_id=l743 &aff_id=3236 

&source=yurtici -> 

hxxp://ads. giispa. com/s W/49399/CD353/102 
3a788C68361b710b87b8ed4851a 

hxxp.V/mobiitrafik. s3. amazona ws. com/iphonewifi. htmi - > 
hxxp://ad.adrttt.com/aff_c?offer_id=l705 &aff_id=3236 

-> hxxps://itunes.appie.com/tr/app/id451786983?mt=8 

hxxp.Z/mobiitrafik. s3. amazona ws. com/turkceii. htmi - > 
hxxp://goo. gi/GBKArV 

hxxp.V/mobiitrafik. s3. amazona ws. com/vodofone. htmi - > 
hxxp://ad.adrttt.com/aff_c?offer_id=l785 &aff_id=3236 

-> hxxp://c.mobpartner.mobi/?s=1007465 &a=3578 
&tidl =102afc4360ecadbed491b5c08f7395 

hxxp.V/mobiitrafik. s3. amazona ws. com/a vea.htmi - > 
hxxp.V/ad.juksr. com/aff_c?offer_id= 709 &aff_id=3236 


hxxp://wap. chatwaik. com/iandings/?name=yiibasi2 

&affid=rekiamaction 

&utm 

_campaign=3236 

&cik=1025fal87aca81 ce5 7edf8adca 7a9c 



hxxp://mobiltrafik. s3. amazon a ws. com/trweb. h tml - > 
hxxp://ad.adrttt.com/aff_c?offer_id=1689 &aff Jd=3236 

&source =yurticidefa ult - > 

hxxps://www. ma tc hand talk, com/splashmobile/10 ?sid=12 
&bid=663 

hxxp://s3. amazon a ws. com/Yon ver/tarayici. html - > 
hxxp://ad. adrttt. com/aff _c?offer_id=1091 &aff_id=3236 

&source=tarayicidan -> 

hxxps://www.matchandtalk.com/splash/12?s id=12 
&bid=651 &cid=29 

hxxp://izleyelim.s3. amazona ws. com/unlu. html 
-> 

hxxp://goo. gl/XpNHIL 

( 21,512 

clicks) 

-> 

hxxps://izleyelim.s3. amazona ws. com/indir. html 
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Dashboard ^ (7,643) A 


Folow g&whosamuwus 8 -i 


OgjTaimfatHmpm 


^ History 



If 11- i:- 1 - nr 1'- If : - 11' If- . - Ill 


;= Readers 




2 , 556 ^ 

409 httpv' 'www.toQrte.oonvO'/ 

59 www.Wv.oonV 
^^ httpe//www,o<Wo*iaMnH<JVi/ 
9 /www.voutub».com.' 


History ^ (7,462) i l-W'i 12m 365 

♦ 



hxxps://s3. amazona ws. com/facebookAds/ortaryon. him I 

-> 

hxxps://www. ma tchandtalk. com/splash/12 ?sid=12 


&bid=651 &cid=29 












Malicious/fraudulent domain name reconnaissance: 

facebookikiziniz.com - 108.162.195.103; 108.162.194.103 

ttcomcdn.com - 162.159.241.195; 162.159.242.195 - Emaii 
masaiiahkiiic(g)hotmaii.com 

amentosx.com - 141.101.116.113; 141.101.117.113 

ad.adrttt.com - 54.236.194.194 
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Dll Turk(« ^ Ulk* Tilfkiy* ▼ Gtiv«r*ii AcNi « Y*rdMn ^ 


The campaign is aiso mobiie device/PC-aware, and is 
therefore automaticaiiy redirecting users to a variety of 
different 



locations/affiliate networks. Case in point, the redirection to 
Google Play's Mobogenie Market App (Windows appli¬ 
cation detected as Adware.NextLive.2 [1]MD5: 
9dd785436752a6126025b549be644e76), and the iOS 
compatible SK 

planet's TicToc app. 

Now comes the malicious twist, in the form of Fake Adobe 
Flash Player, that socially engineered users would 

have to install, in order to view the non-existent YouTube 
video content. 

Actual Fake Adobe Flash Player hosting locations 
within Google Docs: 

hxxps://docs. google, comf/uc ?a uthuser= 0 &id=0B9o VyH 
_ wSBCFcWZIRGYOVlIxNVU 

hxxps://docs.google. com//uc?authuser=0 &ld=0B9oVyH 
_ wBBCFQVBsdVVOekYyNGs 

hxxps://docs. google, comf/uc ?a uthuser= 0 &ld=0B9o VyH 
_ w8BCFaEN2TnE4M0sxWHM 

hxxps://docs.google. com//uc?authuser=0 &ld=0B9oVyH 
_ wBBCFVXRnbkYtNGSwVDA 

hxxps://docs.google. com//uc?authuser=0 &ld=0B9oVyH 
_ w8BCFR2NnRXFRUmtNTTQ 

hxxps://docs. google, comf/uc ?a uthuser= 0 &ld=0B9o VyH 
_ W8BCFO WFGZnIxMkZWcUE 

hxxps://docs.google.com//uc?authuser=0 &ld=0B9oVyH 
_ w8BCFc WZZb TIjMkJ WZ3c 



hxxps://docs. google. com//uc 7a uthuser= 0 &icl=0B9o VyH 
_ w8BCFYI<pEdXI4ZGVaaUE 

hxxps://docs.google.com//uc?authuser=0 &ld=0B9oVyH 
_ wBBCFMUxzYOdQTTJMVOO 

hxxps://docs. google, comf/uc ?a uthuser= 0 &ld=0B9o VyFI 
_ wBBCFNmROSXhMSGdCYUU 
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hxxps://docs. google. com//uc 7a uth user= 0 &ld=0B9o VyFI 
_ wBBCFbORoZVItMmsyRFU 

hxxps://docs.google.com//uc7authuser=0 &ld=0B9oVyH 
_ w8BCFb2k2MFN4QTYlZUE 

hxxps://docs.google. com//uc7authuser=0 &ld=0B9oVyFI 
_ w8BCFblAzZXI4emlGR00 

hxxps://docs.google.com//uc7authuser=0 &ld=0B9oVyH 
_ w8BCFSDZBRDJ40jVqdl<U 

hxxps://docs. google, com/fuc 7a uthuser= 0 &ld=0B9o VyFI 
_ w8BCFUXgtZl VQVU90dVU 









hxxps://docs. google. com//uc 7a uthuser= 0 &icl=0B9o VyH 
_ w8BCFUII6c0Y0MWxLZW8 

hxxps://docs.google.com//uc?authuser=0 &ld=0B9oVyH 
_ w8BCFSW55S3R0SWcxdDO 

hxxps://docs.google. com//uc?authuser=0 &ld=0B9oVyFI 
_ w8BCFMWtxaGJTMnpMVDA 

hxxps://docs.google. com//uc?authuser=0 &ld=0B9oVyFI 
_ w8BCFSI<9yUW5ldDVKaUU 

hxxps://docs. google, comf/uc ?a uthuser= 0 &ld=0B9o VyFI 
_ w8BCFN3pTXzcxcDIObl<U 

hxxps://docs.google. com//uc?authuser=0 &ld=0B9oVyFI 
_ w8BCFQ0p3dV9qcCl uOFU 

hxxps://docs. google, comf/uc ?a uthuser= 0 &ld=0B9o VyFI 
_ w8BCFOFZRcDZwaOZfcVI< 

hxxps://docs.google. com//uc?authuser=0 &ld=0B9oVyFI 
_ w8BCFNI<oyNI<tzQ2dJVIE 

hxxps://docs. google, comf/uc ?a uthuser= 0 &ld=0B9o VyFI 
_ w8BCFS2xJdTE4NI<04QnM 

Detection rate for the fake Adobe Flash Player: 

[2]MD5: 

5bf26bd488503a4b2b74c7393d4136e3 - detected by 3 
out of 47 antivirus scanners as P2P- 

Worm.Win32.Palevo.hexb; PE:Trojan.VBInject 11.6546 

Once executed, the sample also drops: 



[3]MD5: a8234el3f9e3af4c768de6f2d6204b3c 

Once executed, the sample phones back to: 

akillitelefonburada.com (108.162.196.162). 
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Sample 














pseudo-random 

bogus 

Facebook 

content 

generation 

takes 

place 

through: 

hxxp://www.amentosx.com/ext/r.php 

-> 

hxxps://s3.amazonaws.com/facebookAds/arkadaj.html 
-> 

hxxp://ttcomcdn.com/tw.php 

This post has been reproduced from [4]Dancho 
Danchev's blog . Follow him [5]on Twitter. 

1 . 

httDs://www. virustotal.com/en/file/bc9c9cb2al219b87cdb9e 

356b72f2e64clac2e92503Q2e72b426ad51dcc6818f/anal vs 

is/1389893847/ 

2 . 

httDs://www.vi rustotal.com/en/file/9c92 331776087 bc46053d 

cf388394acdb6faace813153f6flcd9a9belffad0c5/anal vs 







3. 

httDs://www.vi rustotal.com/en/file/d792cleelf944940flfabd 

a43392231Q21596dd546a4QeebQca4Q7535fbc782Q/anal vs 

is/ 

4. htto://ddanchev.blo as oot.com/ 

5. htto://twitter.com/danchodanchev 
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$uan siiedeki 985 kl;i toplam 3,457 vfdeo'nun keyfini fikariyor.. Sizde onlardan birisi olun! 

• kavii ol 

• {iri} vap 

• anasavfa 

• kaieyoriler 

• kanallar 

# Recep ivedik 4 ( Full izle - HD Ucretsiz) 

Please install Flash Player... 

1 giln once eklendi 
15,547 kezizlendi 
Payla;: 

Video 

C 2011 - unluvideolari.info 

• HizliMenii 

• . anaayfa 

• . hakloinizda 

• ■ kategoriler 

• . kanallar 

• ■ sss 

• . iletijim 

• Sosyal A^lar 

• I' acebook Savfamiz 

• Twitterdan Takip Edin! 

• Videolara Abone OlunI 

• lletijime Geyin! 


Facebook Spreading, 





















Amazon AWS/Cloudflare/Google Docs Hosted 
Campaign, 

Serves P2P- 

Worm.Win32.Palevo (2014-01-16 21:27) 

I've recently spotted a malicious, cybercrime-friendly SWF 
iframe/redirector injecting service, that also exposes a 

long-run Win32.Nixofro serving malicious infrastructure, 
currently utilized for the purpose of operating a rogue social 

media service provider, that's targeting Turkish Facebook 
users through the ubiquitous social engineering vector, for 

such type of campaigns, namely, the fake Adobe Flash 
player. 

Let's profile the service, discuss its relevance in the broader 
context of the threat landscape, provide action¬ 
able/historical threat intelligene on the malicious 
infrastructure, the rogue domains involved in it, the 
malicious 

MD5s served by the cybercriminals behind it, and directly 
link it to a [Ijpreviously profiled Facebook spreading 

P2P-Worm.Win32.Palevo serving campaign. 

The managed SWF ifra me/redi rector service, is a great 
example of a cybercrime-as-a-service type of underground 

market proposition, empowering, both, sophisticated and 
novice cybercriminals with the necessary ([2]malvertising) 



'know-how', in an efficient manner, directly intersecting with 
the commercial availability of [3]sophisticated mass 

Web site/[4]Web server malicious script embedding 
platforms. 

The managed SWF iframe/redirector injecting service is 
currently responding to 108.162.197.62 and 108.162.196.62 

859 


OnioeuM VIP nepcoHa 


(7 AH«H) 5 1 0 5 

MecHu (30 AMeii) 10 2 1 

roA(36SAHeM) 15 5 2 

Known to have responded to the same IPs (108.162.197.62; 
108.162.196.62) is also a key part of the malicious 

infrastructure that I'll expose in this post, namely 
hiziiservis.pw - Email: furkan@cod.com. 

Known to have phoned back to the same IP 
(108.162.197.62) are also the following malicious 
MD5s: 

MD5: 432efe0fa88d2a9el91cb95fa88e7b36 
MD5: 720ecblcf4f28663f4ab25eedf620341 
MD5: 02691863e9dfb9e69b68f5fca932e729 
MD5: 69ed70a82cb35a454c60c501025415aa 
MD5: cc586al76668ceefl4891bl5elb412ab 


MD5: 74291941bddcecl31c8c6d531fcbl886 







MD5: 7c27d9ff25fc40119480e4fe2c7ca987 


MD5: 72c030db7163a7a7bf2871a449d4ea3c 

MD5: 432efe0fa88d2a9el91cb95fa88e7b36 

Known to have phoned to the same IP 
(108.162.196.62) are also the following malicious 
MD5s: 

MD5: eda3f015204e9565c779e0725915864f 

MD5: effcfe91beaf7a3ed2f4ac79525c5fc5 

MD5: 14acd831691173ced830f4b51a93elca 

MD5: 7f93b0c611f7020d28f7a545847b51e0 

MD5: bcfce3a9bf2c87dab806623154d49fl0 

MD5: 4c90a89396d4109d8e4e2491c5da4846 

MD5: 289c4f925fdec861c7f765a65b7270af 

Sampie redirection chain ieading to the fake Adobe 
Fiash Piayer: 

hxxp://hizliservis.pw/unlu.htm 

-> 

hxxp://hizliservis.pw/indirphp 


hxxp://unluvideolari. info 



hxxp://videotr in/playerswf 
-> 

hxxp://izleyelim.s3. amazona ws. com/movie, mp4 

&skin=newtubedark/NewTubeDark.xml &streamer=lighttpd 
&image=hqdefaultjpg 

Domain name reconnaissance: 

hizliservis.pw - Email: furkan(g)cod.com 

videotr.in - Email: tiiknet(g)yandex.com; snack(g)log-z.com 

izleyelim.s3.amazonaws.com - 176.32.97.249 

Within hiziiservis.pw, we can easily spot yet another part of 
the same malicious/fraudulent infrastructure, 

namely, the rogue social media distribution platform's login 
interface. 
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hnp;//goo.gl/ber2EP 


35,648 


https:/rbutxt<x.googl*cod*.coin/svn/FlashPiaytrS20S*tup.*x* 


-.rjt'.- r . • ' ■ - 



all tima 


Sample redirection chain leading to a currently active 
fake Adobe Flash Player (Win32.Nixofro): 

hxxp://sociaimediasystem.net/down.php -> 
hxxps://profon ixback31.googlecode.com/svn/FlashPlayer 
Guncelie.exe 
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Referrert Browsers 



Countries Platforms 



Detection rate for the fake Adobe Flash Player: 

[5]MD5: 28c3c503d398914bdd2c2b3fdclf9ea4 - 

detected by 36 out of 50 antivirus scanners as Win32.Nixofro 

Once executed, the sample phones back to 
profonixuser.net (141.101.117.218) 

Known to have responded to the same IP 
(141.101.117.218) are also the following malicious 
MD5s: 

MD5: 53360155012d8e5c648aca277cbde587 
MD5: a66alc42cc6fb775254cf32c8db7ad5b 


MD5: a051fd83fc8577b00d8d925581afla3b 



MD5: f47784817a8a04284af4b602c7719cb7 


MD5: 2e5c75318275844ce0ff7028908e8fb4 

MD5: 90205a9740df5825ce80229cal05b9e8 

Domain name reconnaissance for the rogue sociai 
media distibution piatform: 

socialmediasystem.Net (141.101.118.159; 141.101.118.158) 
- Email: furkan(g)cod.com 

Sampie redirection chain for the rogue sociai media 
distribution piatform's core functions: 

hxxp://profonixusernet/new.php?nocache=1044379803 

-> 

hxxp.V/sosyalmedyakusu.com/oauth.php 

(108.162.199.203; 

108.162.198.203) 

Email: 

furkan(g)cod.com 

-> 

hxxp://hizliservis. p w/fa ce.php 
-> 

hxxp://socialhaberler com/manyak.php -> 
hxxp.7/profonixusernet/new.php -> 
hxxp://profonixusernet/amk.php (141.101.117.218)-> 



hxxp://me.cf/dhtcw {31.110.164.61) -> hxxps://video- 
players.herokuapp.com/755517841177 

(107.20.187.159) -> hxxp://kingprofonix.net/hxxp-.//kingprofo 
nix.com (108.162.198.203) the same domain is also 

known to have responded to 108.162.197.62 
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Related MD5s known to have phoned back to the 
same IP (108.162.198.203) in the past: 

[6]MD5: 505f615f9elc4fdc03964b36ec877d57 

Sample internal redirectors structure: 

hxxp://profonixuser.net/fb.php -> 
hxxp://profonixuser.net/manyak.php -> 
hxxp://moiotofcu.com/googie/hede.php (199.27.134.199) 



hxxp://profonixusernet/pp.php 

-> 

hxxp.y/gdriv. es/a walbbmprtbpahpolcdt?jgxebgqjl 
-> 

hxxps://googledrive.com/host/0B08vFK4UtN5kdjV2NklHVTVjc 
TO - > hxxp://sosyalmedyakusu. com/s3x.php ?ref=g- 

oogle 

hxxp://profonixusernet/userphp -> hxxp://goo.gl/ber2EP -> 
hxxps://buexe-x. googlecode. com/svn/FlashPlayer 

%20Setup.exe -> [7]MD5: 

60137clcb77bed9afcbbbc3ad910df3f -> phones back to 
wjetphp.com (46.105.56.61) Secondary sample internal 
redirectors structure: 

hxxp://profonixusernet/yarak. txt 

-> 

hxxp://profonixusernet/u. exe 
-> 

hxxp://profonixuser net/yen i. txt 


> 


hxxp://profonixuser net/yen i. exe 



-> 

hxxp://profonixusernet/recep. html 
-> 

hxxp://goo. gl/ber2EP 
-> 

hxxp://wjetphp. com/unlu/player. swf-> 
hxxp.V/profonixusernet/kral.txt-> hxxp://likefin/fate.exe - 
108.162.194.123; 108.162.195.123; 108.162.199.107 - 
known to have phoned back to the same IP is also the 
following malicious [8]MD5: 

effcfe91beaf7a3ed2f4ac79525c5fc5 - detected by 35 
out of 50 antivirus scanners as Trojan- 

Ransom. Win 32. Foreign, kcme 
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■ Av, 


History ^ (0) 4 


;-.h JC, 12m 365 






; Data; 


Once executed, the sample phones back to likef.biz 
(176.53.119.195). The same domain is also known to have 

responded to the following IPs 141.101.116.165; 
141.101.117.165. 

Here's comes the interesting part. The fine folks at 
[9]ExposedBotnets, have already intercepted a malicious 

Facebook spreading campaign, that's using the already 
profiled in this post videotr.in. 

Having directly connected the cybercrime-friendly SWF 
iframe/redirector injecting service, with hiziiservis.pw as 

well as the SocialMediaSystem as being part of the same 
malicious infrastructure, it's time to profile the fraud¬ 
ulent/malicious adversaries behind the campaigns. The 
cybercriminals behind these campaigns, appear to be 



operating a rogue social media service, targeting Facebook 
Inc. 

Sample screenshots of the social media distribution 
platform's Web based interface: 
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Sample advertisement of the rogue social media 
distribution platform: 


866 















Facebook Page Member Shooting I 


IK: 5S 
2K: 10$ 
3K: 15$ 
4K: 20$ 
5K: 25$ 

lOK:50$ 
20K: 100$ 
30K: 150$ 
40K: 200$ 
50K: 250$ 


Facebook Subscriber Prices 


IK: 2$ 
2K: 5$ 
3K: 7$ 
4K:10$ 
5K: 12$ 
6K:13$ 
7K: 15$ 
8K:17$ 
9K: 20$ 
lOK:25$ 

20K:50$ 
30K: 100$ 
40K: 150$ 
50K: 200$ 


Facebook Lists Prices 
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Facebook Lists Prices 


IK: 5S 
2K: 10$ 
3K: 15$ 
4K: 20$ 
5K: 25$ 
6K: 30$ 
7K: 35$ 
8K: 40$ 
9K: 45$ 
lOK: 50$ 

20K: 50$ 
30K:100$ 
40K:150$ 
50K: 200$ 


Dealers For Sale ! ProfMedya 
Website : www.profmedya.com 


Communication 
Skype: Profonixcod 

MSN: FiberBavimDestek(3)hotmail.com.tr 


Skype ID of the rogue company: ProFonixcod 

Secondary company name: ProfMedya - 
hxxp://profmedya.com - 178.33.42.254; 188.138.9.39; 
89.19.20.242 - Email: 

kayahoca(a)gmail.com. The same domain, profmedya.com 
used to respond to 188.138.9.39. 



Domains known to have responded to the same IP 
(188.138.9.39) are also the following malicious 
domains: 

hxxp://facebooook.biz 
hxxp://world medya.net 
f h XX p://a stoto I i ked. n et 
hxxp://adsmedya.com 
hxxp://facebookmedya.biz 
hxxp ://fastotol i ke.com 
hxxp://fbmedyah izmetleri.com 
hxxp ://fi berbayim.com 
hxxp ://profon ixcoder.com 
hxxp ://sansurmedya. biz 
hxxp://sosyai paket.com 
868 

hxxp ://taki pci niarttir.net 
hxxp ://videomedya. net 
hxxp://videopackage.biz 
hxxp ://worid medya.net 
hxxp ://www-facebook. net 
hxxp ://www. facebook-java.com 



hxxp://www.faceml ike.com 
hxxp://www.fastcekim.com 
hxxp://www.fastotol ike.com 
hxxp://www.fbmeclyah izmetleri.com 
hxxp://www. profmeclya.com 
hxxp://www.sansurmeclya.com 

Rogue social media distribution platform operator's 
name: Fatih Konar 

Associated emails: fiberbayimclestek@hotmail.com.tr; 
nerclenezaman@hotmail.com.tr 

Google+ Account: 

hxxps://plus.google.com/1038477436831294 39807/about 
Twitter account: hxxps://twitter.com/ProfonixCocltr 

Domain name reconnaissance: 

profonixcod.com (profonix-cod.com) - 216.119.143.194 - 
Email: abazafamily_@hotmail.com (related domains 

known to have been registered with the same email - 
warningyoutube.com; likebayi.com) 

profonixcod.net 

Updated will be posted as soon as new developments take 
place. 

1. httD://ddanchev.blo as Dot.com/2014/01/facebook- 
S Dreadin a -amazon.html 






2. httD://www.webroot.com/blo a /2014/02/14/doubleclick- 
malvertisin a -camDai a n-exDoses-lon a -run-beneath-radar-m 

alvertisin g -infrastructure/ 

3. httD://www.webroot.com/blo a /2013/Q6/03/comDromised- 
ft Dssh-account-Drivile a e-escalatin g -mass-iframe-embedd 

ing- Dlatform-released-on-the-under g round-marketplace/ 

4. http://www.webroot.com/blo g /2012/ll/26/cvbercriminals- 
release-stealthv-div-mass-iframe-in i ectin g-a pache-2 

-moduies/ 

5. 

https://www.virustotai.com/en/fiie/7f7bd5f002de9aedde4fa5 

dca5356cf576c95eb58bd85178d0781dfc0ala6ca4/anai vs 

is/1395436639/ 

6 . 

https://www.virustotai.com/en/fiie/7aae8f81397608d3c08e3f 

b645c4001260f560fl470bfbd00ed08cde8ceaedc8/anai vs 

7. 

https://www.virustotai.com/en/fiie/4b91da4289b8765d46461 

76b7fa21f8de515ba02e97519589452346d54ff2204/anai vs 

8 . 

https://www.virustotai.com/en/fiie/a50411aa3850eldefcce38 

f079dafl75a9ca7fb32749c9b4394ef6236476d094/anai vs 






































9. httD://www.exDosedbotnets.com/2014/01/videotrin- 
facebook-sDreadin a -browser.html 
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Summarizing Webroot's Threat Biog Posts for January 
( 2014 - 03-06 19 : 41 ) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Biog for January, 2014. You can 
subscribe to [2]Webroot's Threat Biog RSS Feed, or 

follow me on Twitter: 

01 . [3]'Aclobe License Service Center Order NR' and 'Notice 
to appear in court' themed malicious spam campaigns 

intercepted in the wild 

02 . [4]New "Windows 8 Home Screen' themed 
passwords/game keys stealer spotted in the wild 

03 . [SJVendor of TDoS products resets market life cycle of 
well known 3G USB modem/GSM/SIM card-based TDoS 

tool 

04 . [6]New TDoS market segment entrant introduces 96 SIM 
cards compatible custom GSM module, positions itself 

as market disrupter 

05 . [7JDIY Python-based mass insecure WordPress 
scanning/exploting tool with hundreds of pre-defined exploits 

871 

spotted in the wild 

06 . [8]Google's reCAPTCHA under automatic fire from a 
newly launched reCAPTCHA-solving/breaking service 

07 . [9]Fully automated, API-supporting service, undermines 
Facebook and Google's 'SMS/Mobile number activation' 



account registration process 

08 . [10]Newly launched managed 'compromised/hacked 
accounts E-shop hosting as service' standardizes the 

monetization process 

09 . [ll]Newly released Web based DDoS/Passwords stealing- 
capable DIY botnet generating tool spotted in the wild 

10 . [12]Cybercriminals release new Web based keylogging 
system, rely on penetration pricing to gain market share 

This post has been reproduced from [13]Dancho 
Danchev's blog . Follow him [14]on Twitter. 

1 . http://www.webroot.com/blo a 

2. http://feeds2.feedburner.com/WebrootThreatBlo a 

3. http://www.webroot.com/blo a /2Q14/Ql/Q7/adobe-license- 
service-center-order-nr-notice-a o Dear-court-themed-m 

alicious-SDam-camoai a ns-interceoted-wild/ 

4. httD://www.webroot.com/blo a /2Q14/Ql/Q9/new-windows-8- 
home-screen-themed-oasswords a ame-kevs-stealer-sDotte 

d-wild/ 

5. httD://www.webroot.com/blo a /2Q14/Ql/13/vendor-tdos- 
Droducts-releases-new- a sm3 a -usb-modem-based-tdos-tool/ 

6. httD://www.webroot.com/blo a /2Q14/Ql/16/new-tdos- 
market-se a ment-entrant-introduces-96-sim-cards-comDatible 


-custom- a sm-module-Dositions-market-disruotor/ 


































7. httD://www.webroot.com/blo a /2014/01/17/di v-D vthon- 
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ndreds-pre-defined-exploits-spotted-wild/ 

8 . 

http://www.webroot.eom/blo a /2014/01/21/ a oo a les- 
recaptcha-automatic-fi re-newiv-launched-recaptcha-solvin a 

breakin g -service/ 

9. http://www.webroot.eom/blo a /2014/01/22/full v- 
automated-api-su p portin a -service-undermines-facebook- 
aooales 

-sms-activation-mobile-number-activation-account-re a ist 

10. http://www.webroot.eom/blo a /2014/01/24/newl v- 
launched-mana a ed-compromised hacked-accounts-e-sho p- 
hostin g-s 

ervice-standardizes-monetization-process/ 

11. http://www.webroot.eom/blo a /2014/01/30/newl v- 
released-web-based-ddospasswords-stealin g -capable-di v- 
botnet 


-a eneratin g -tool-spotted-wild/ 

12 . 

http://www.webroot.eom/blo a /2014/01/31/cvbercriminals- 
release-new-web-based-ke vloa g mg-s ystem/ 

13. http://ddanchev.bio as pot.com/ 

14. http://twitter.com/danchodanchev 
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Summarizing Webroot's Threat Biog Posts for 
February (2014-03-06 20:48) 

The following is a brief summary of all of my posts at 
[l]Webroot's Threat Biog for February, 2014. You can 
subscribe to [2]Webroot's Threat Biog RSS Feed, or 

follow me on Twitter: 







01 . [3]Cybercriminals release Socks4/Socks5 based Alexa 
PageRank boosting application 

02 . [4]Market leading 'standardized cybercrime-friendly E- 
shop' service brings 2500-1- boutique E-shops online 

03 . [5]Managed TeamViewer based anti-forensics capable 
virtual machines offered as a service 

04 . [6]Malicious campaign relies on rogue Word Press sites, 
leads to client-side exploits through the Magnitude 

exploit kit 

05 . [7]'Hacking for hire' teams occupy multiple underground 
market segments, monetize their malicious 'know how' 

06 . [8]DoubleClick malvertising campaign exposes long-run 
beneath the radar malvertising infrastructure 

07 . [9]Spamvertised 'Image has been sent' Evernote themed 
campaign serves client-side exploits 

08 . [10]Spamvertised 'You received a new message from 
Skype voicemail service' themed emails lead to Angler 
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exploit kit 

This post has been reproduced from [llJDancho 
Danchev's blog . Follow him [12]on Twitter 

1 . httD://www.webroot.com/blo a 

2. httD://feeds2.feedburner.com/WebrootThreatBlo a 


3 . 




httD://www.webroot.com/blo a /2014/02/04/cvbercriminals- 

release-socks4socks5-based-alexa- Daa erank-boostin a- 

aP Dlication/ 

4. http://www.webroot.eom/blo a /2014/02/07/market-leadin a- 
standardized-cvbercrime-friendlv-e-shop-service-bri 

na s-2500-boutiaue-e-shops-online/ 

5. http://www.webroot.eom/blo a /2014/02/10/mana a ed- 
teamviewer-based-anti-forensics-capable-virtual-machines-o 

ffered-service/ 

6. http://www.webroot.eom/blo a /2014/02/12/ro a ue- 
wordpress-sites-lead-to-client-side-exploits/ 

7. http://www.webroot.CQm/blo a /2014/02/13/hackin a -hire- 
teams-occu p v-multiole-under a round-market-se a ments-mon 

etize-malicious-know/ 

8. http://www.webroQt.eom/blo a /2014/02/14/dQubleclick- 
malvertisin a -camoai a n-exposes-lon a -run-beneath-radar-m 

alvertisin g -infrastructure/ 

9. http://www.webroot.eom/blo a /2014/02/18/spamvertised- 
ima a e-sent-evernote-themed-camoai a n-serves-client-sid 

e-exoloits/ 

10. http://www.webroot.eom/blo a /2014/02/20/spamvertised- 
received-new-messa a e-sk v oe-voicemail-service-themed-e 

mails-lead-an a ler-exoloit-kit/ 
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12. httD://twitter.com/danchodanchev 
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Win32.Nixofro Serving, Maiicious infrastructure, 
Exposes Frauduient Facebook Sociai Media Service 

Provider (2014-03-22 08:18) 

I've recently spotted a malicious, cybercrime-friendly SWF 
iframe/redirector injecting service, that also exposes a 

long-run Win32.Nixofro serving malicious infrastructure, 
currently utilized for the purpose of operating a rogue social 

















media service provider, that's targeting Turkish Facebook 
users through the ubiquitous social engineering vector, for 

such type of campaigns, namely, the fake Adobe Flash 
player. 

Let's profile the service, discuss its relevance in the broader 
context of the threat landscape, provide action¬ 
able/historical threat intelligene on the malicious 
infrastructure, the rogue domains involved in it, the 
malicious 

MD5s served by the cybercriminals behind it, and directly 
link it to a [l]previously profiled Facebook spreading 

P2P-Worm.Win32.Palevo serving campaign. 

The managed SWF iframe/redirector service, is a great 
example of a cybercrime-as-a-service type of underground 

market proposition, empowering, both, sophisticated and 
novice cybercriminals with the necessary ([2]malvertising) 

'know-how', in an efficient manner, directly intersecting with 
the commercial availability of [3]sophisticated mass 

Web site/[4]Web server malicious script embedding 
platforms. 

The managed SWF ifra me/redirector injecting service is 
currently responding to 108.162.197.62 and 108.162.196.62 


875 



[ 


] 


O^W'IMblH 


OfiioewM 


VIP nsficoNi 


H*A«/1II (7 AHtH) 


5 


05 


Mecnu (30 AHeii) 
roA (365 AHeM) 


10 2 1 

15 5 2 


Known to have responded to the same IPs (108.162.197.62; 
108.162.196.62) is also a key part of the malicious 

infrastructure that I'll expose in this post, namely 
hiziiservis.pw - Email: furkan@cod.com. 

Known to have phoned back to the same IP 

(108.162.197.62) are also the following malicious 
MD5s: 

MD5: 432efe0fa88d2a9el91cb95fa88e7b36 
MD5: 720ecblcf4f28663f4ab25eedf620341 
MD5: 02691863e9dfb9e69b68f5fca932e729 
MD5: 69ed70a82cb35a454c60c501025415aa 
MD5: cc586al76668ceefl4891bl5elb412ab 
MD5: 74291941bddcecl31c8c6d531fcbl886 
MD5: 7c27d9ff25fc40119480e4fe2c7ca987 
MD5: 72c030db7163a7a7bf2871a449d4ea3c 
MD5: 432efe0fa88d2a9el91cb95fa88e7b36 

Known to have phoned to the same iP 

(108.162.196.62) are aiso the foiiowing maiicious 
MD5s: 

MD5: eda3f015204e9565c779e0725915864f 







MD5: effcfe91beaf7a3ed2f4ac79525c5fc5 

MD5: 14acd831691173ced830f4b51a93elca 

MD5: 7f93b0c611f7020d28f7a545847b51e0 

MD5: bcfce3a9bf2c87dab806623154d49fl0 

MD5: 4c90a89396d4109d8e4e2491c5da4846 

MD5: 289c4f925fdec861c7f765a65b7270af 

Sample redirection chain leading to the fake Adobe 
Flash Player: 

hxxp://hizliservis.pw/unlu.htm 

-> 

hxxp://hizliservis.pw/indirphp 

-> 

hxxp://unluvideolari. info 
-> 

hxxp://videotr in/p la yen s wf 
-> 

hxxp://izleyelim.s3. amazona ws. com/movie, mp4 

&sl<in=newtubedarl</NewTubeDark.xml &streamer=lighttpd 
&image=hqdefaultjpg 


Domain name reconnaissance: 

hizliservis.pw - Email: furkan(g)cod.com 



videotr.in - Email: tiiknet@yandex.com; snack@log-z.com 

izleyelim.s3.amazonaws.com - 176.32.97.249 

Within hiziiservis.pw, we can easily spot yet another part of 
the same malicious/fraudulent infrastructure, 

namely, the rogue social media distribution platform's login 
interface. 
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http://goo.gl/ber2EP 
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httpt://Du«x«>x.googl*cod*.eom/tvn/FUfhPljytf%20S«tup.*x* 
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Sample redirection chain leading to a currently active 
fake Adobe Flash Player (Win32.Nixofro): 

hxxp://sociaimediasystem.net/down.php -> 
hxxps://profon ixback31.googlecode.com/svn/FlashPlayer 
Guncelie.exe 
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Referrer* 


Browsers 



Detection rate for the fake Adobe Flash Player: 

[5]MD5: 28c3c503d398914bdd2c2b3fdclf9ea4 - 

detected by 36 out of 50 antivirus scanners as Win32.Nixofro 

Once executed, the sample phones back to 
profonixuser.net (141.101.117.218) 

Known to have responded to the same IP 
(141.101.117.218) are also the following malicious 
MD5s: 

MD5: 53360155012d8e5c648aca277cbde587 
MD5: a66alc42cc6fb775254cf32c8db7ad5b 
MD5: a051fd83fc8577b00d8d925581afla3b 


MD5: f47784817a8a04284af4b602c7719cb7 



MD5: 2e5c75318275844ce0ff7028908e8fb4 


MD5: 90205a9740df5825ce80229cal05b9e8 

Domain name reconnaissance for the rogue sociai 
media distibution piatform: 

socialmediasystem.Net (141.101.118.159; 141.101.118.158) 
- Email: furkan(g)cod.com 

Sampie redirection chain for the rogue sociai media 
distribution piatform's core functions: 

hxxp://profonixusernet/new.php?nocache=1044379803 

-> 

hxxp://sosyalmedyakusu.com/oauth.php 

(108.162.199.203; 

108.162.198.203) 

Email: 

furkan(g)cod.com 

-> 

hxxp://hizliservis. p w/fa ce.php 
-> 

hxxp://socialhaberler com/manyak.php -> 
hxxp.7/profonixusernet/new.php -> 
hxxp://profonixusernet/amk.php (141.101.117.218)-> 
hxxp://me.cf/dhtcw {31.110.164.61) -> hxxps.V/video- 
players.herokuapp.com/755517841177 



(107.20.187.159) -> hxxp://kingprofonix.net/hxxp://kingprofo 
nix.com (108.162.198.203) the same domain is also 

known to have responded to 108.162.197.62 
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Related MD5s known to have phoned back to the 
same IP (108.162.198.203) in the past: 

[6]MD5: 505f615f9elc4fdc03964b36ec877d57 

Sample internal redirectors structure: 

hxxp://profonixusernet/fb.php -> 
hxxp://profonixusernet/manyak.php -> 
hxxp://molotofcu.com/google/hede.php (199.27.134.199) 



hxxp://profonixusernet/pp.php 

-> 

hxxp.y/gdriv. es/a walbbmprtbpahpolcdt?jgxebgqjl 
-> 

hxxps://googledrive.com/host/0B08vFK4UtN5kdjV2NklHVTVjc 
TO - > hxxp://sosyalmedyakusu. com/s3x.php ?ref=g- 

oogle 

hxxp://profonixusernet/userphp -> hxxp://goo.gl/ber2EP -> 
hxxps://buexe-x. googlecode. com/svn/FlashPlayer 

%20Setup.exe -> [7]MD5: 

60137clcb77bed9afcbbbc3ad910df3f -> phones back to 
wjetphp.com (46.105.56.61) Secondary sample internal 
redirectors structure: 

hxxp://profonixusernet/yarak. txt 

-> 

hxxp://profonixusernet/u. exe 
-> 

hxxp://profonixuser net/yen i. txt 


> 


hxxp://profonixuser net/yen i. exe 



hxxp://profonixusernet/recep. him I 


-> 

hxxp://goo. gl/ber2EP 
-> 

hxxp://wjetphp. com/unlu/player. swf-> 
hxxp://profonixusernet/kral.txt-> hxxp://likefin/fate.exe - 
108.162.194.123; 108.162.195.123; 108.162.199.107 - 
known to have phoned back to the same IP is also the 
following malicious [8]MD5: 

effcfe91beaf7a3ed2f4ac79525c5fc5 - detected by 35 
out of 50 antivirus scanners as Trojan- 

Ransom. Win 32. Foreign, kcme 
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Once executed, the sample phones back to likef.biz 
(176.53.119.195). The same domain is also known to have 

responded to the following IPs 141.101.116.165; 
141.101.117.165. 

Here's comes the interesting part. The fine folks at 
[9]ExposedBotnets, have already intercepted a malicious 

Facebook spreading campaign, that's using the already 
profiled in this post videotr.in. 

Having directly connected the cybercrime-friendly SWF 
iframe/redirector injecting service, with hiziiservis.pw as 

well as the SocialMediaSystem as being part of the same 
malicious infrastructure, it's time to profile the fraud¬ 
ulent/malicious adversaries behind the campaigns. The 
cybercriminals behind these campaigns, appear to be 

operating a rogue social media service, targeting Facebook 
Inc. 

Sample screenshots of the social media distribution 
platform's Web based interface: 
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Sample advertisement of the rogue social media 
distribution platform: 


882 















Fdcebook Page Member Sbootiiig 1 


IK: 5S 
2K: 10$ 
3K: 15$ 
4K: 20$ 
5K:25$ 

lOK:50$ 
20K:100$ 
30K:150$ 
40K:200$ 
50K: 250$ 


Facebook Subscriber Prices 


IK: 2$ 
2K: 5$ 
3K: 7$ 
4K: 10$ 
5K: 12$ 
6K:13$ 
7K: 15$ 
8K:17$ 
9K: 20$ 
lOK:25$ 

20K:50$ 
30K:100$ 
40K:150$ 
50K:200$ 


Facebook Lists Prices 
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Skype ID of the rogue company: ProFonixcod 

Secondary company name: ProfMedya - 
hxxp://profmedya.com - 178.33.42.254; 188.138.9.39 
89.19.20.242 - Email: 


kayahoca(g)gmail.com. The same domain, profmedya.com 
used to respond to 188.138.9.39. 

Domains known to have responded to the same IP 
(188.138.9.39) are also the following malicious 
domains: 

hxxp://facebooook.biz 
hxxp://world medya.net 
fhxxp://astotoli ked.net 
hxxp://adsmedya.com 
hxxp://facebookmedya.biz 
hxxp ://fastotol i ke.com 
hxxp://fbmedyah izmetleri.com 
hxxp ://fi berbayim.com 
hxxp ://profon ixcoder.com 
hxxp ://sansurmedya. biz 
hxxp://sosyal paket.com 
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hxxp ://taki pci niarttir.net 
hxxp ://videomedya. net 
hxxp://videopackage.biz 
hxxp ://world medya.net 



hxxp://www-facebook.net 
hxxp://www. facebook-java.com 
hxxp://www.faceml ike.com 
hxxp://www.fastcekim.com 
hxxp://www.fastotol ike.com 
hxxp://www.fbmeciyah izmetieri.com 
hxxp://www. profmeciya.com 
hxxp://www.sansurmeciya.com 

Rogue social media distribution platform operator's 
name: Fatih Konar 

Associated emails: fiberbayimciestek(g)hotmaii.com.tr; 
nercienezaman(g)hotmaii.com.tr 

Google+ Account: 

hxxps://pius.googie.com/1038477436831294 39807/about 
Twitter account: hxxps://twitter.com/ProfonixCocitr 

Domain name reconnaissance: 

profonixcod.com (profonix-cod.com) - 216.119.143.194 - 
Emaii: abazafamiiy _(g)hotmaii.com (reiated domains 

known to have been registered with the same emaii - 
warningyoutube.com; iikebayi.com) 

profonixcod.net 

Updated wiii be posted as soon as new deveiopments take 
piace. 



1. httD://ddanchev.blo as DOt.com/2014/01/facebook- 
S Dreadin a -amazon.html 


2. httD://www.webroot.com/blo a /2014/02/14/doubleclick- 
malvertisin a -campai a n-exposes-lon a -run-beneath-radar-m 

alvertisin g -infrastructure/ 

3. httD://www.webroot.com/blo a /2013/06/03/comDromised- 
ft pssh-account-privile a e-escalatin a -mass-iframe-embedd 

ina- platform-released-on-the-under a round-marketplace/ 

4. http://www.webroot.com/blo a /2Q12/ll/26/cvbercriminals- 
release-stealthv-div-mass-iframe-in i ectin a-a Dache-2 

-moduies/ 

5. 

httDs://www. virustotai.com/en/fiie/7f7bd5f0Q2de9aedde4fa5 

dca5356cf576c95eb58bd85178d0781dfc0ala6ca4/anai vs 

is/1395436639/ 

6 . 

httDs://www. virustotai.com/en/fiie/7aae8f81397608d3c08e3f 

b645c4001260f560fl470bfbdQ0ed08cde8ceaedc8/anai vs 

7. 

httDs://www. virustotai.com/en/fiie/4b91da4289b8765d46461 

76b7fa21f8de515baQ2e97519589452346d54ff22Q4/anai vs 

8 . 

httDs://www. virustotai.com/en/fiie/a5Q411aa385Qeldefcce38 









































fQ79dafl75a9ca7fb32749c9b4394ef6236476dQ94/anal vs 

9. httD://www.exDosedbotnets.com/2014/01/videotrin- 
facebook-sDreadin a -browser.html 
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Rogue Android Apps Hosting Web Site Exposes 
Maiicious infrastructure (2014-10-21 21:24) 

With cybercriminals continuing to populate the cybercrime 
ecosystem with automatically generated and monetized 

mobile malware variants, we continue to observe a logical 
shift towards convergence of [l]cybercrime-friendiy 

revenue sharing affiiiate networks, and [2]maiicious 
infrastructure providers, on their way to further achieve a 
posive ROI (return on investment) out of their [3]risk- 
forwarding frauduient activities. 

I've recently spotted a legitimately looking, [4]rogue 
Android apps hosting Web site, directly connected to a 

market leading [5]DiY APi-enabied mobiie maiware 
generating/monetizing piatform, further exposing 
related 








[6] fraudulent operations, performed, while utilizing the 

[7] malicious infrastructure, which I'll expose in this post. 

Let's assess the campaign, expose the malicious 
infrastructure behind it, list the cybercrime-friendly premium 

rate SMS numbers, involved in it, as well as related malicious 
MD5s, known to have participated in the cam¬ 
paign/have utilized the same malicious infrastructure. 
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Sample rogue Android apps hosting URL: 

hxxp://androidapps.mob.wf- 37.1.206.173 

Responding to the same IP (37.1.206.173) are also 
the following fraudulent domains: 

hxxp://22-min uty. ru 

hxxp://nygolfpro. com 

hxxp .-//blooms ter. dp. ua 

hxxp://stdstudio. com. ua 

hxxp://autosolnce. ru 

Detection rate for sample rogue Android apps: 

[8] MD5: 4bf349b601fd73c74eafc01ce8ea8be7 

[9] MD5: C4508cl27029571e5b6f6b08e5c91415 

[10] MD5: bd296d35bf41b9ae73ed816cc7c4c38b 

Sample 



redirection 


chain 

exposing 

the 

frauduient 

infrastructure: 

hxxp://22-min uty. ru 
-> 

hxxp .-//players ha rks2. com/playerphp/?usericl= - 
94.242.214.133; 94.242.214.155 

Known to have responded to the same iPs 
(94.242.214.133; 94.242.214.155) are aiso the 
foiiowing fraudu¬ 
ient domains, participating in a reiated revenue¬ 
sharing affiiiate network based type of monetization 
scheme: 

hxxp ://4 books, ru 
hxxp://annoncer. media-bar. ru 
hxxp://booksbuttonl. com 
hxxp://film-club. ru 
hxxp://film-popcorn. ru 
hxxp://filmbuttons. ru 



hxxp://filmi-doma. com 
hxxp://filmonika. ru 
hxxp .-//films. 909. su 
hxxp.-Z/indiiskie. ru 
hxxp://kinozond. ru 
hxxp://media-bar. ru 
hxxp .-//playersha rks2. com 
hxxp://playersharks4. com 
hxxp.-//pp layer, ru 
hxxp://sharksplayer2. com 
hxxp.-//s ha rksp layers, ru 
hxxp.-//sharks reader, ru 
hxxp://tema-info. ru 
hxxp.-//topp films, ru 
hxxp://video-movies. com 
hxxp .-//video. 909. su 
hxxp://videodomm. ru 
hxxp://videozzy. com 
hxxp://videozzzz. ru 
hxxp .-//webs harks, ru 



hxxp://yasmotrju. ru 
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Malicious MD5s known to have phoned back to the 
same iP (94.242.214.133): 

MD5: 9ec8aef6dc0e3db8596ac54318847328 

MD5: 895c38ec4fblfbee47bfb3b6ee3al70b 

MD5: C4d88b32b605500b7f86de5569alle22 

MD5: 49861fd4748dd57cl92139e8bd5b71e3 

MD5: 8b350f8a32ef4b28267995cf8f0ceael 

Premium rate SMS numbers invoived in the 
frauduient scheme: 

7151; 9151; 2855; 3855; 3858; 2858; 8151; 7155; 7255; 
3190; 3200; 3170; 3006; 3150; 6150; 4124; 4481; 7781; 

5014; 1151; 4125; 1141; 1131; 1350; 3354; 7122; 3353; 
7132; 3352; 8355; 8155; 8055; 7515; 1037; 1953; 3968; 

5370; 1952; 3652; 5373; 9191; 1005; 7019; 7250; 1951; 
7015; 7099; 7030 
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Once executed MD5: 

9ec8aef6dc0e3db8596ac54318847328 phones back to 
the foiiowing C &C servers, further 


exposing the malicious infrastructure: 

67.215.246.10:6881 

82.221.103.244:6881 

114.252.58.66:6407 

89.136.77.86:45060 

212.25.54.183:32822 

107.191.223.72:22127 

87.89.149.106:24874 

82.247.154.128:47988 

108.181.68.73:47342 

82.74.179.126:52352 

121.222.168.146:64043 

217.121.30.46:34421 

115.143.245.78:51548 

110.15.205.16:51477 

37.114.69.97:19079 
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85.229.206.243:55955 

95.109.112.178:60018 


95.68.195.182:44025 



239.192.152.143:6771 


109.187.54.101:13100 

117.194.5.97:55535 

95.29.112.178:59039 

109.162.133.97:19459 

83.205.112.178:11420 

95.68.3.182:53450 

175.115.103.140:52696 

197.2.133.97:27334 

84.55.8.7:10060 

27.5.132.243:19962 

123.109.176.178:36527 

175.157.176.178:22906 

188.187.147.247:14745 

178.212.133.205:52416 

145.255.1.250:41973 

213.21.32.190:51413 

93.73.165.31:61889 

176.97.214.119:46605 


185.51.127.134:16447 



109.239.42.123:16845 


77.232.158.215:40266 

178.173.37.2:47126 

62.84.24.219:47594 

37.144.87.15:13448 

5.251.28.179:39620 

94.19.66.51:42894 

94.51.242.89:35691 

93.179.102.216:24458 

212.106.62.201:44821 

95.52.69.39:12249 

46.118.64.45:44172 

217.175.33.130:45244 

185.8.126.226:32972 

93.92.200.202:56664 

94.214.220.37:35196 

46.182.132.67:32103 

46.188.123.131:11510 

83.139.188.142:34549 


188.232.124.16:27582 



91.213.23.226:19751 


95.32.142.28:55555 

95.83.188.157:15714 

95.128.244.10:59239 

176.31.240.170:6882 

79.109.88.241:6881 

91.215.90.109:34600 

891 

62.198.229.165:6881 

91.148.118.250:21558 

81.82.210.40:6881 

97.121.23.163:31801 

78.186.155.62:6881 

78.1.158.105:47475 

79.160.62.185:9005 

213.87.123.81:17790 

178.150.154.26:26816 

83.174.247.71:59908 

109.87.175.144:29374 


86.57.186.171:45013 



193.222.140.60:35691 


176.115.158.138:24253 

42.98.191.90:7085 

178.127.152.72:10107 

82.239.74.201:61137 

185.19.22.192:46337 

86.185.92.38:10819 

78.214.194.145:24521 

37.78.85.173:49001 

82.70.112.150:32371 

37.131.212.35:18525 

79.136.156.151:59659 

2.134.48.150:12530 

95.29.164.86:6881 

37.147.16.242:64954 

79.45.36.86:22690 

112.208.182.65:56374 

62.99.29.74:44822 

95.16.12.111:12765 


124.169.69.69:41216 



5.164.83.49:62348 


79.22.73.216:61914 

46.63.131.146:6881 

89.150.119.203:55029 

58.23.49.24:2717 

83.41.5.241:45624 

87.21.80.23:27949 

178.150.176.150:57997 

178.127.195.146:58278 

5.141.236.13:15784 

125.182.35.138:54094 

99.228.23.82:29302 

14.111.131.146:33433 

122.177.90.137:25375 

178.223.195.146:54596 

182.54.112.150:1058 

109.23.145.152:31514 

213.241.204.31:27769 
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188.168.58.6:45823 



2.94.4.215:50830 


42.91.39.236:13923 

116.33.113.4:19973 

86.182.170.27:25712 

177.82.206.231:39043 

122.143.152.35:7890 

217.13.219.147:39190 

77.75.13.195:16279 

87.239.5.144:58749 

89.141.116.97:49001 

176.106.11.49:44690 

112.14.110.199:33243 

122.26.6.52:20527 

178.223.195.146:23034 

98.118.85.85:51413 

190.63.131.146:6881 

46.151.242.82:16046 

176.106.19.185:46114 

85.113.157.12:62633 


192.168.0.105:58749 



211.89.227.34:56333 


36.68.16.149:42839 

31.15.80.10:42061 

130.15.95.112:6881 

87.119.245.51:6882 

109.173.101.19:19700 

193.93.187.234:1214 

176.106.18.254:43469 

176.183.137.53:19155 

176.113.168.51:52672 

93.123.60.130:52981 

79.100.9.81:14053 

91.124.125.16:29914 

46.16.228.135:53473 

95.61.55.234:22974 

190.213.101.39:44376 

58.173.158.99:50821 

188.25.108.102:31047 

95.153.175.173:15563 


75.120.194.116:58001 



61.6.218.126:63291 


128.70.19.98:64296 

5.167.193.5:25861 

185.57.73.27:47892 

109.205.249.105:58449 

77.228.235.226:57715 

2.62.49.161:49001 

67.234.161.61:65228 

91.243.100.237:40431 
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105.155.1.67:16084 

73.34.178.71:41864 

145.255.169.122:4612 

92.241.241.4:61613 

145.255.21.166:46596 

83.253.71.148:34016 

173.246.26.126:12988 

79.181.115.213:43853 

46.237.69.97:50772 


86.159.67.146:48959 



213.100.105.54:52147 


178.45.129.126:45710 

188.78.232.53:39336 

70.82.20.41:11248 

88.132.82.254:52722 

85.198.154.126:35403 

89.67.245.2:21705 

95.76.128.209:36640 

61.242.114.3:6383 

79.112.156.169:10236 

95.25.111.173:40781 

108.36.82.254:57393 

88.8.84.79:56740 

118.36.49.220:59561 

60.197.149.187:12996 

86.26.224.104:39597 

120.61.161.250:10023 

151.249.239.173:6881 

86.178.212.41:28489 


95.180.244.144:48245 



111.171.83.212:52952 


122.164.99.166:1024 

201.110.110.63:19314 

79.100.52.144:54312 

194.219.103.45:24008 

178.89.171.19:10003 

124.12.192.197:6881 

92.96.186.112:31100 

207.216.138.62:6881 

194.8.234.230:51413 

92.220.24.133:6881 

2.134.203.233:6881 

122.169.237.54:17407 

36.232.153.137:16001 

130.43.123.202:45689 

86.73.45.54:56161 

37.215.93.59:27997 

78.154.164.176:42780 

5.10.134.6:50452 


98.176.222.50:61000 
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93.54.90.126:1189 

220.81.46.201:51526 

39.41.111.173:7702 

41.111.41.122:19132 

211.108.64.209:20728 

178.66.212.41:14865 

182.187.103.45:57751 

118.41.230.79:52520 

186.155.231.45:34294 

109.174.113.128:15947 

188.6.88.229:16785 

99.247.58.79:23197 

94.137.237.54:14617 

197.203.129.67:10204 

5.107.65.67:21618 

117.194.114.71:64476 

94.153.45.54:32715 

2.176.158.50:17404 


5.18.178.71:50971 



78.130.212.41:63075 


86.121.45.54:55858 

109.187.1.67:15413 

108.199.125.160:38558 

83.181.18.121:15859 

93.109.242.198:26736 

95.86.220.68:27877 

37.204.22.24:24146 

198.203.28.43:17685 

What's particularly interesting, about this campaign, is the 
fact, that, the Terms of Service (ToS) presented to 

gullible and socially engineered end users, refers to a well 
known Web site (jmobi.net), directly connected with the 
market leading [11]DIY API-enabled mobile malware 
generating/monetization platform, extensively profiled 
in a 

previously published post. 

As cybercriminals continue to achieve a cybercrime- 
ecosystem wide [12]standardization, we'll continue to ob¬ 
serve an increase in fraudulent activity, with the 
cybercriminals behind it, continuing to innovate, on their 
way to 

achieve efficient monetization schemes, and risk-forwarding 
centered fraudulent models, further contributing to the 



adaptive innovation to be applied to the current [13]TTPs 
(tactics, techniques and procedures) utilized by them. 
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